From a9af7b46561859b68f112b20b6ef00a49a197c22 Mon Sep 17 00:00:00 2001 From: FranciscoJavierOrtegaPalacios <111856750+FranciscoJavierOrtegaPalacios@users.noreply.github.com> Date: Tue, 11 Jun 2024 13:48:08 +0100 Subject: [PATCH] Update build pipeline to auth with OpenId and use actions with Node.js 20 (#198) Updated build pipeline to auth with azure using OpenID. Updated github actions in the build pipeline to use Node.js 20. --- .../actions/actionAzVmRunCommand/action.yml | 6 +- .github/workflows/buildPipeline.yml | 56 +++++++++++-------- 2 files changed, 36 insertions(+), 26 deletions(-) diff --git a/.github/actions/actionAzVmRunCommand/action.yml b/.github/actions/actionAzVmRunCommand/action.yml index b6eda980..08f148c9 100644 --- a/.github/actions/actionAzVmRunCommand/action.yml +++ b/.github/actions/actionAzVmRunCommand/action.yml @@ -5,7 +5,7 @@ description: "This action uses az vm run-command in order to execute a command i # WARNING: This action ONLY checks the exit code of the last command. If your script input is made of multiple commands, # make sure that a failure early results in the last command failing or not executing, otherwise it could mask errors. # Some options to do this include using [set -euo pipeline] or equivalents, or using the && operator to connect console commands - # WARNING: This action hasn't been tested with script files. + # WARNING: This action hasn't been tested with script files. inputs: commandName: description: "Name of the command to execute" @@ -15,10 +15,10 @@ inputs: required: true runs: using: "composite" - steps: + steps: - name: Execute the command in Linux if: ${{ env.os == 'linux' }} - uses: azure/CLI@v1 + uses: azure/CLI@v2 with: inlineScript: | az vm run-command create \ diff --git a/.github/workflows/buildPipeline.yml b/.github/workflows/buildPipeline.yml index 9024dbc4..68f2a56e 100644 --- a/.github/workflows/buildPipeline.yml +++ b/.github/workflows/buildPipeline.yml @@ -8,6 +8,9 @@ on: pull_request: branches: [ "master" ] +permissions: + id-token: write + contents: read # A workflow run is made up of one or more jobs that can run sequentially or in parallel jobs: @@ -41,16 +44,17 @@ jobs: rgName: dcap-github-actions-agents-rg location: ${{ matrix.location }} branchName: ${{ github.head_ref }} - # Steps represent a sequence of tasks that will be executed as part of the job steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - - uses: azure/login@v1 + - uses: azure/login@v2 with: - creds: ${{ secrets.AZURE_CREDENTIALS }} + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - name: Create VM uses: azure/CLI@v1 @@ -215,7 +219,7 @@ jobs: - name: Cleanup if: always() - uses: azure/CLI@v1 + uses: azure/CLI@v2 with: inlineScript: | az vm delete \ @@ -258,14 +262,16 @@ jobs: # Steps represent a sequence of tasks that will be executed as part of the job steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - - uses: azure/login@v1 + - uses: azure/login@v2 with: - creds: ${{ secrets.AZURE_CREDENTIALS }} + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - name: Start VM - uses: azure/CLI@v1 + uses: azure/CLI@v2 with: inlineScript: | az vm start \ @@ -276,7 +282,7 @@ jobs: run: sleep 60 - name: Clone the DCAP repo after cleaning up the previous execution - uses: azure/CLI@v1 + uses: azure/CLI@v2 with: inlineScript: | az vm run-command create \ @@ -294,7 +300,7 @@ jobs: if [[ "$result" == *"DCAP_Build_Step_Successfully_Completed"* ]]; then echo "Step successfully executed"; else exit 1; fi - name: Build Azure DCAP - uses: azure/CLI@v1 + uses: azure/CLI@v2 with: inlineScript: | az vm run-command create \ @@ -312,7 +318,7 @@ jobs: if [[ "$result" == *"DCAP_Build_Step_Successfully_Completed"* ]]; then echo "Step successfully executed"; else exit 1; fi - name: Run Azure DCAP unit tests - uses: azure/CLI@v1 + uses: azure/CLI@v2 with: inlineScript: | az vm run-command create \ @@ -331,7 +337,7 @@ jobs: - name: Stop VM if: always() - uses: azure/CLI@v1 + uses: azure/CLI@v2 with: inlineScript: | az vm deallocate \ @@ -368,14 +374,16 @@ jobs: # Steps represent a sequence of tasks that will be executed as part of the job steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - - uses: azure/login@v1 + - uses: azure/login@v2 with: - creds: ${{ secrets.AZURE_CREDENTIALS }} + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - name: Create VM - uses: azure/CLI@v1 + uses: azure/CLI@v2 with: inlineScript: | az vm create \ @@ -513,7 +521,7 @@ jobs: - name: Cleanup if: always() - uses: azure/CLI@v1 + uses: azure/CLI@v2 with: inlineScript: | az vm delete \ @@ -561,14 +569,16 @@ jobs: # Steps represent a sequence of tasks that will be executed as part of the job steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - - uses: azure/login@v1 + - uses: azure/login@v2 with: - creds: ${{ secrets.AZURE_CREDENTIALS }} + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - name: Create VM - uses: azure/CLI@v1 + uses: azure/CLI@v2 with: inlineScript: | az vm create \ @@ -731,7 +741,7 @@ jobs: - name: Cleanup if: always() - uses: azure/CLI@v1 + uses: azure/CLI@v2 with: inlineScript: | az vm delete \