.github: do a functional check for az login

Instead of checking for the "cause" of login failure, check for the symptom, so we don't get false positives. Signed-off-by: Steve Kuznetsov <stekuznetsov@microsoft.com>
Azure · Nov 22, 2024 · ea04ae1 · ea04ae1
1 parent 6273bb8
commit ea04ae1
Show file tree

Hide file tree

Showing 2 changed files with 52 additions and 9 deletions.
diff --git a/.github/workflows/aro-hcp-cd.yml b/.github/workflows/aro-hcp-cd.yml
@@ -41,15 +41,6 @@
     cancel-in-progress: false
 
   jobs:
-    is_running_on_fork:
-      name: 'Ensure PR is submitted from Azure/ARO-HCP'
-      if: github.event_name != 'workflow_dispatch'
-      runs-on: ubuntu-latest
-      steps:
-        - name: Fail if PR submitted from fork
-          if: ${{ github.event.pull_request.head.repo.full_name != 'Azure/ARO-HCP' }}
-          run: core.setFailed('Expected source repository to be Azure/ARO-HCP, not ${{ github.event.pull_request.head.repo.full_name }}, re-create PR as a branch of Azure/ARO-HCP')
-
     deploy_global_rg:
       name: 'Deploy global resources'
       if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch'

diff --git a/.github/workflows/aro-hcp-login-check.yml b/.github/workflows/aro-hcp-login-check.yml
@@ -0,0 +1,52 @@
+---
+  name: ARO HCP Continuous Deployment
+  on:
+    workflow_dispatch:
+    pull_request:
+      branches:
+        - main
+      paths:
+        - '.github/workflows/aro-hcp-cd.yml'
+        - '.github/workflows/environment-infra-cd.yml'
+        - '.github/workflows/services-cd.yml'
+        - '.github/workflows/services-ci.yml'
+        - 'config/config.yaml'
+        - 'dev-infrastructure/**/*.bicep'
+        - 'dev-infrastructure/**/*.bicepparam'
+        - 'dev-infrastructure/configurations/*'
+        - 'frontend/**'
+        - 'backend/**'
+        - 'cluster-service/**'
+        - 'internal/**'
+        - 'maestro/**'
+        - 'pko/**'
+        - 'acm/**'
+        - 'hypershiftoperator/**'
+        - 'image-sync/**/'
+        - 'tooling/image-sync/**'
+        - 'tooling/templatize/**'
+        - 'config/*'
+      types:
+        - opened
+        - synchronize
+        - reopened
+        - closed
+
+  jobs:
+    is_running_on_fork:
+      name: 'Ensure PR is submitted from Azure/ARO-HCP'
+      if: github.event_name != 'workflow_dispatch'
+      runs-on: ubuntu-latest
+      permissions:
+        id-token: 'write'
+        contents: 'read'
+      steps:
+        - name: 'Az CLI login - will fail if PR is submitted from a fork of the repo'
+          uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0
+          with:
+            client-id: ${{ secrets.AZURE_CLIENT_ID }}
+            tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+            subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+        - name: Fail if PR submitted from fork
+          if: failure()
+          run: core.setFailed('Expected source repository to be Azure/ARO-HCP, not ${{ github.event.pull_request.head.repo.full_name }}, re-create PR as a branch of Azure/ARO-HCP')