Use OIDC keys for the OSPO API (#32482)

See /dotnet/docs#40676 and #40674 for the corresponding PR. Co-authored-by: Bill Wagner <[email protected]>
dotnet · May 1, 2024 · bd85146 · bd85146
1 parent f59d7a5
commit bd85146
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 4 deletions.
diff --git a/.github/workflows/quest-bulk.yml b/.github/workflows/quest-bulk.yml
@@ -15,6 +15,7 @@ jobs:
     permissions:
       issues: write
       pull-requests: write
+      id-token: write
     if: ${{ github.repository_owner == 'dotnet' }}
 
     steps:
@@ -23,13 +24,26 @@ jobs:
         run: |
           echo "Reason: ${{ github.event.inputs.reason }}"
 
+      - name: Azure OpenID Connect
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.CLIENT_ID }}
+          tenant-id: ${{ secrets.TENANT_ID }}
+          audience: ${{ secrets.OSMP_API_AUDIENCE }}
+          allow-no-subscriptions: true
+
+      - name: OSMP API access
+        run: |
+          TOKEN=$(az account get-access-token --query 'accessToken' -o tsv --resource ${{ secrets.OSMP_API_AUDIENCE }})
+          echo "AZURE_ACCESS_TOKEN=$TOKEN" >> $GITHUB_ENV
+
       - name: bulk-sequester
         id: bulk-sequester
         uses: dotnet/docs-tools/actions/sequester@main
         env:
           ImportOptions__ApiKeys__GitHubToken: ${{ secrets.GITHUB_TOKEN }}
-          ImportOptions__ApiKeys__OSPOKey: ${{ secrets.OSPO_KEY }}
           ImportOptions__ApiKeys__QuestKey: ${{ secrets.QUEST_KEY }}
+          ImportOptions__ApiKeys__AzureAccessToken: ${{ env.AZURE_ACCESS_TOKEN }}
           ImportOptions__ApiKeys__SequesterPrivateKey: ${{ secrets.SEQUESTER_PRIVATEKEY }}
           ImportOptions__ApiKeys__SequesterAppID: ${{ secrets.SEQUESTER_APPID }}
         with:

diff --git a/.github/workflows/quest.yml b/.github/workflows/quest.yml
@@ -22,6 +22,7 @@ jobs:
     permissions:
       issues: write
       pull-requests: write
+      id-token: write
 
     steps:
       - name: "Print manual run reason"
@@ -30,14 +31,27 @@ jobs:
           echo "Reason: ${{ github.event.inputs.reason }}"
           echo "Issue number: ${{ github.event.inputs.issue }}"
 
+      - name: Azure OpenID Connect
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.CLIENT_ID }}
+          tenant-id: ${{ secrets.TENANT_ID }}
+          audience: ${{ secrets.OSMP_API_AUDIENCE }}
+          allow-no-subscriptions: true
+
+      - name: OSMP API access
+        run: |
+          TOKEN=$(az account get-access-token --query 'accessToken' -o tsv --resource ${{ secrets.OSMP_API_AUDIENCE }})
+          echo "AZURE_ACCESS_TOKEN=$TOKEN" >> $GITHUB_ENV
+
       # This step occurs when ran manually, passing the manual issue number input
       - name: manual-sequester
         if: ${{ github.event_name == 'workflow_dispatch' }}
         id: manual-sequester
         uses: dotnet/docs-tools/actions/sequester@main
         env:
           ImportOptions__ApiKeys__GitHubToken: ${{ secrets.GITHUB_TOKEN }}
-          ImportOptions__ApiKeys__OSPOKey: ${{ secrets.OSPO_KEY }}
+          ImportOptions__ApiKeys__AzureAccessToken: ${{ env.AZURE_ACCESS_TOKEN }}
           ImportOptions__ApiKeys__QuestKey: ${{ secrets.QUEST_KEY }}
           ImportOptions__ApiKeys__SequesterPrivateKey: ${{ secrets.SEQUESTER_PRIVATEKEY }}
           ImportOptions__ApiKeys__SequesterAppID: ${{ secrets.SEQUESTER_APPID }}
@@ -53,7 +67,7 @@ jobs:
         uses: dotnet/docs-tools/actions/sequester@main
         env:
           ImportOptions__ApiKeys__GitHubToken: ${{ secrets.GITHUB_TOKEN }}
-          ImportOptions__ApiKeys__OSPOKey: ${{ secrets.OSPO_KEY }}
+          ImportOptions__ApiKeys__AzureAccessToken: $AZURE_ACCESS_TOKEN
           ImportOptions__ApiKeys__QuestKey: ${{ secrets.QUEST_KEY }}
           ImportOptions__ApiKeys__SequesterPrivateKey: ${{ secrets.SEQUESTER_PRIVATEKEY }}
           ImportOptions__ApiKeys__SequesterAppID: ${{ secrets.SEQUESTER_APPID }}

diff --git a/.github/workflows/whats-new.yml b/.github/workflows/whats-new.yml
@@ -23,6 +23,7 @@ jobs:
     permissions:
       contents: write
       pull-requests: write
+      id-token: write
     if: ${{ github.repository_owner == 'dotnet' }}
 
     # Steps represent a sequence of tasks that will be executed as part of the job
@@ -34,10 +35,23 @@ jobs:
         run: |
           echo "Reason: ${{ github.event.inputs.reason }}"
 
+      - name: Azure OpenID Connect
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.CLIENT_ID }}
+          tenant-id: ${{ secrets.TENANT_ID }}
+          audience: ${{ secrets.OSMP_API_AUDIENCE }}
+          allow-no-subscriptions: true
+
+      - name: OSMP API access
+        run: |
+          TOKEN=$(az account get-access-token --query 'accessToken' -o tsv --resource ${{ secrets.OSMP_API_AUDIENCE }})
+          echo "AZURE_ACCESS_TOKEN=$TOKEN" >> $GITHUB_ENV
+     
       - uses: dotnet/docs-tools/WhatsNew.Cli@main
         env:
           GitHubKey: ${{ secrets.GITHUB_TOKEN }}
-          OspoKey: ${{ secrets.OSPO_KEY }}
+          AZURE_ACCESS_TOKEN: ${{ env.AZURE_ACCESS_TOKEN }}
         with:
           owner: dotnet
           repo: AspNetCore.Docs