diff --git a/.github/actions/login-to-azure/action.yml b/.github/actions/login-to-azure/action.yml index 409734c03..6d3186c8a 100644 --- a/.github/actions/login-to-azure/action.yml +++ b/.github/actions/login-to-azure/action.yml @@ -1,9 +1,9 @@ name: Login to Azure description: > - Logs in to Azure using a service principal. After a successful login, the action will set up the necessary credentials - and environment variables for the service to be able to access Azure resources. The service can then use these - credentials to make API calls to Azure services. Intentionally not documented in Actions.md since it's only meant for - internal use. + Logs in to Azure using OpenID Connect by impersonating a Service Principal or Managed Credential. After a successful + login, the action will set up the necessary credentials and environment variables for the service to be able to access + Azure resources. The service can then use these credentials to make API calls to Azure services. Intentionally not + documented in Actions.md since it's only meant for internal use. inputs: enable-az-ps-session: @@ -18,5 +18,7 @@ runs: # v1.4.6 uses: azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 with: - creds: ${{ env.SERVICE_PRINCIPAL }} + client-id: ${{ env.AZURE_CLIENT_ID }} + tenant-id: ${{ env.AZURE_TENANT_ID }} + subscription-id: ${{ env.AZURE_SUBSCRIPTION_ID }} enable-AzPSSession: ${{ inputs.enable-az-ps-session }} diff --git a/.github/workflows/build-and-test-dotnet.yml b/.github/workflows/build-and-test-dotnet.yml index 9427f8947..c97ee2ac6 100644 --- a/.github/workflows/build-and-test-dotnet.yml +++ b/.github/workflows/build-and-test-dotnet.yml @@ -4,6 +4,7 @@ on: workflow_call: secrets: CHECKOUT_TOKEN: + required: false description: > The GitHub token to authenticate checkout. Pass in a GitHub personal access token if authenticated submodules are used. diff --git a/.github/workflows/build-and-test-orchard-core.yml b/.github/workflows/build-and-test-orchard-core.yml index dfe34fc9b..4c77b1b35 100644 --- a/.github/workflows/build-and-test-orchard-core.yml +++ b/.github/workflows/build-and-test-orchard-core.yml @@ -4,6 +4,7 @@ on: workflow_call: secrets: CHECKOUT_TOKEN: + required: false description: > The GitHub token to authenticate checkout. Pass in a GitHub personal access token if authenticated submodules are used. diff --git a/.github/workflows/build-dotnet.yml b/.github/workflows/build-dotnet.yml index 8d035c8d3..5cb3274b9 100644 --- a/.github/workflows/build-dotnet.yml +++ b/.github/workflows/build-dotnet.yml @@ -5,6 +5,7 @@ on: workflow_call: secrets: CHECKOUT_TOKEN: + required: false description: > The GitHub token to authenticate checkout. Pass in a GitHub personal access token if authenticated submodules are used. diff --git a/.github/workflows/create-jira-issues-for-community-activities.yml b/.github/workflows/create-jira-issues-for-community-activities.yml index 7fa310aa3..05d8590cf 100644 --- a/.github/workflows/create-jira-issues-for-community-activities.yml +++ b/.github/workflows/create-jira-issues-for-community-activities.yml @@ -19,14 +19,17 @@ on: required: true description: The project key in JIRA, i.e. the prefix of issue keys (the "KEY" part of KEY-123). DISCUSSION_JIRA_ISSUE_DESCRIPTION: + required: false description: > Template for the Jira issues to be created for GitHub discussions, using the internal markup format of Jira (not Markdown). See the documentation for details. ISSUE_JIRA_ISSUE_DESCRIPTION: + required: false description: > Template for the Jira issues to be created for GitHub issues, using the internal markup format of Jira (not Markdown). See the documentation for details. PULL_REQUEST_JIRA_ISSUE_DESCRIPTION: + required: false description: > Template for the Jira issues to be created for GitHub pull requests, using the internal markup format of Jira (not Markdown). See the documentation for details. diff --git a/.github/workflows/deploy-orchard1-to-azure-app-service.yml b/.github/workflows/deploy-orchard1-to-azure-app-service.yml index 204dc7113..a95a72075 100644 --- a/.github/workflows/deploy-orchard1-to-azure-app-service.yml +++ b/.github/workflows/deploy-orchard1-to-azure-app-service.yml @@ -3,17 +3,42 @@ name: Deploy Orchard 1 to Azure App Service concurrency: group: AzureDeployApp +permissions: + id-token: write + contents: read + on: workflow_call: secrets: CHECKOUT_TOKEN: + required: false description: > The GitHub token to authenticate checkout. Pass in a GitHub personal access token if authenticated submodules are used. - AZURE_APP_SERVICE_DEPLOYMENT_SERVICE_PRINCIPAL: + + # These secrets are for OpenID Connect-based authentication with Azure services through the azure/login action + # (proxied by our login-to-azure action below). Check out its documentation on how these secrets are used: + # https://github.com/azure/login. + AZURE_APP_SERVICE_DEPLOYMENT_SERVICE_PRINCIPAL_ID: required: true + description: > + The Application (client) ID of the Azure Service Principal or Managed Credential, which will be mapped to the + client-id parameter when calling azure/login. + AZURE_APP_SERVICE_DEPLOYMENT_AZURE_TENANT_ID: + required: true + description: > + The Tenant (Directory) ID of the Microsoft Entra ID tenant, which will be mapped to the tenant-id parameter + when calling azure/login. + AZURE_APP_SERVICE_DEPLOYMENT_AZURE_SUBSCRIPTION_ID: + required: true + description: > + The ID of the Azure Subscription the resources are under, which will be mapped to the subscription-id + parameter when calling azure/login. You can look this up e.g. in the Azure Portal under any resource or the + subscription itself. + AZURE_APP_SERVICE_PUBLISH_PROFILE: required: true + MAINTENANCE_USER_NAME: MAINTENANCE_PASSWORD: @@ -90,6 +115,7 @@ jobs: deploy: runs-on: ${{ inputs.machine-type }} name: Deploy to Azure App Service + environment: ${{ inputs.slot-name }} defaults: run: shell: pwsh @@ -122,7 +148,9 @@ jobs: - name: Login to Azure uses: Lombiq/GitHub-Actions/.github/actions/login-to-azure@dev env: - SERVICE_PRINCIPAL: ${{ secrets.AZURE_APP_SERVICE_DEPLOYMENT_SERVICE_PRINCIPAL }} + AZURE_CLIENT_ID: ${{ secrets.AZURE_APP_SERVICE_DEPLOYMENT_SERVICE_PRINCIPAL_ID }} + AZURE_TENANT_ID: ${{ secrets.AZURE_APP_SERVICE_DEPLOYMENT_AZURE_TENANT_ID }} + AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_APP_SERVICE_DEPLOYMENT_AZURE_SUBSCRIPTION_ID }} - name: Initialize PowerShell modules uses: Lombiq/Infrastructure-Scripts/.github/actions/initialize@dev diff --git a/.github/workflows/deploy-to-azure-app-service.yml b/.github/workflows/deploy-to-azure-app-service.yml index 3a24496b3..efd47f438 100644 --- a/.github/workflows/deploy-to-azure-app-service.yml +++ b/.github/workflows/deploy-to-azure-app-service.yml @@ -3,15 +3,39 @@ name: Deploy to Azure App Service concurrency: group: AzureDeployApp +permissions: + id-token: write + contents: read + on: workflow_call: secrets: CHECKOUT_TOKEN: + required: false description: > The GitHub token to authenticate checkout. Pass in a GitHub personal access token if authenticated submodules are used. - AZURE_APP_SERVICE_DEPLOYMENT_SERVICE_PRINCIPAL: + + # These secrets are for OpenID Connect-based authentication with Azure services through the azure/login action + # (proxied by our login-to-azure action below). Check out its documentation on how these secrets are used: + # https://github.com/azure/login. + AZURE_APP_SERVICE_DEPLOYMENT_SERVICE_PRINCIPAL_ID: + required: true + description: > + The Application (client) ID of the Azure Service Principal or Managed Credential, which will be mapped to the + client-id parameter when calling azure/login. + AZURE_APP_SERVICE_DEPLOYMENT_AZURE_TENANT_ID: required: true + description: > + The Tenant (Directory) ID of the Microsoft Entra ID tenant, which will be mapped to the tenant-id parameter + when calling azure/login. + AZURE_APP_SERVICE_DEPLOYMENT_AZURE_SUBSCRIPTION_ID: + required: true + description: > + The ID of the Azure Subscription the resources are under, which will be mapped to the subscription-id + parameter when calling azure/login. You can look this up e.g. in the Azure Portal under any resource or the + subscription itself. + AZURE_APP_SERVICE_PUBLISH_PROFILE: required: true @@ -113,6 +137,7 @@ jobs: deploy: runs-on: ${{ inputs.machine-type }} name: Deploy to Azure App Service + environment: ${{ inputs.slot-name }} defaults: run: shell: pwsh @@ -172,7 +197,9 @@ jobs: - name: Login to Azure uses: Lombiq/GitHub-Actions/.github/actions/login-to-azure@dev env: - SERVICE_PRINCIPAL: ${{ secrets.AZURE_APP_SERVICE_DEPLOYMENT_SERVICE_PRINCIPAL }} + AZURE_CLIENT_ID: ${{ secrets.AZURE_APP_SERVICE_DEPLOYMENT_SERVICE_PRINCIPAL_ID }} + AZURE_TENANT_ID: ${{ secrets.AZURE_APP_SERVICE_DEPLOYMENT_AZURE_TENANT_ID }} + AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_APP_SERVICE_DEPLOYMENT_AZURE_SUBSCRIPTION_ID }} - name: Initialize PowerShell modules uses: Lombiq/Infrastructure-Scripts/.github/actions/initialize@dev diff --git a/.github/workflows/msbuild-and-test.yml b/.github/workflows/msbuild-and-test.yml index 6263f8207..1484e3139 100644 --- a/.github/workflows/msbuild-and-test.yml +++ b/.github/workflows/msbuild-and-test.yml @@ -4,6 +4,7 @@ on: workflow_call: secrets: CHECKOUT_TOKEN: + required: false description: > The GitHub token to authenticate checkout. Pass in a GitHub personal access token if authenticated submodules are used. diff --git a/.github/workflows/post-pull-request-checks-automation.yml b/.github/workflows/post-pull-request-checks-automation.yml index 5cfba578c..bbcaa3bab 100644 --- a/.github/workflows/post-pull-request-checks-automation.yml +++ b/.github/workflows/post-pull-request-checks-automation.yml @@ -5,6 +5,7 @@ on: secrets: # We can't access org secrets here so they need to be passed in. MERGE_TOKEN: + required: false description: > An authentication token, like a personal access token (PAT), that provides write access to the repository and can be used to merge the pull request. This is necessary because when a pull request is merged while being diff --git a/.github/workflows/publish-nuget.yml b/.github/workflows/publish-nuget.yml index a4e8e069d..46579b86f 100644 --- a/.github/workflows/publish-nuget.yml +++ b/.github/workflows/publish-nuget.yml @@ -4,6 +4,7 @@ on: workflow_call: secrets: CHECKOUT_TOKEN: + required: false description: > The GitHub token to authenticate checkout. Pass in a GitHub personal access token if authenticated submodules are used. diff --git a/.github/workflows/reset-azure-environment.yml b/.github/workflows/reset-azure-environment.yml index e09522861..265660024 100644 --- a/.github/workflows/reset-azure-environment.yml +++ b/.github/workflows/reset-azure-environment.yml @@ -3,13 +3,36 @@ name: Reset Azure Environment concurrency: group: AzureResetEnvironment +permissions: + id-token: write + contents: read + on: workflow_call: secrets: - AZURE_APP_SERVICE_RESET_SERVICE_PRINCIPAL: + # These secrets are for OpenID Connect-based authentication with Azure services through the azure/login action + # (proxied by our login-to-azure action below). Check out its documentation on how these secrets are used: + # https://github.com/azure/login. + AZURE_APP_SERVICE_RESET_SERVICE_PRINCIPAL_ID: + required: true + description: > + The Application (client) ID of the Azure Service Principal or Managed Credential, which will be mapped to the + client-id parameter when calling azure/login. + AZURE_APP_SERVICE_RESET_AZURE_TENANT_ID: + required: true + description: > + The Tenant (Directory) ID of the Microsoft Entra ID tenant, which will be mapped to the tenant-id parameter + when calling azure/login. + AZURE_APP_SERVICE_RESET_AZURE_SUBSCRIPTION_ID: required: true + description: > + The ID of the Azure Subscription the resources are under, which will be mapped to the subscription-id + parameter when calling azure/login. You can look this up e.g. in the Azure Portal under any resource or the + subscription itself. + MAINTENANCE_USER_NAME: MAINTENANCE_PASSWORD: + inputs: cancel-workflow-on-failure: description: When set to "true", will cancel the current workflow run with all jobs if this workflow fails. @@ -120,6 +143,7 @@ jobs: reset-azure-environment: runs-on: ${{ inputs.machine-type }} name: Reset Azure Environment + environment: ${{ inputs.destination-slot-name }} defaults: run: shell: pwsh @@ -128,7 +152,9 @@ jobs: - name: Login to Azure uses: Lombiq/GitHub-Actions/.github/actions/login-to-azure@dev env: - SERVICE_PRINCIPAL: ${{ secrets.AZURE_APP_SERVICE_RESET_SERVICE_PRINCIPAL }} + AZURE_CLIENT_ID: ${{ secrets.AZURE_APP_SERVICE_RESET_SERVICE_PRINCIPAL_ID }} + AZURE_TENANT_ID: ${{ secrets.AZURE_APP_SERVICE_RESET_AZURE_TENANT_ID }} + AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_APP_SERVICE_RESET_AZURE_SUBSCRIPTION_ID }} - name: Initialize PowerShell modules uses: Lombiq/Infrastructure-Scripts/.github/actions/initialize@dev diff --git a/.github/workflows/spelling.yml b/.github/workflows/spelling.yml index 0c3e9ede3..e7b4647f3 100644 --- a/.github/workflows/spelling.yml +++ b/.github/workflows/spelling.yml @@ -4,6 +4,7 @@ on: workflow_call: secrets: CHECKOUT_TOKEN: + required: false description: > The GitHub token to authenticate checkout. Pass in a GitHub personal access token if authenticated submodules are used. diff --git a/.github/workflows/swap-azure-web-app-slots.yml b/.github/workflows/swap-azure-web-app-slots.yml index b575a0d32..6b16bf0c5 100644 --- a/.github/workflows/swap-azure-web-app-slots.yml +++ b/.github/workflows/swap-azure-web-app-slots.yml @@ -3,11 +3,33 @@ name: Swap Azure Web App Slots concurrency: group: AzureSwapAppSlots +permissions: + id-token: write + contents: read + on: workflow_call: secrets: - AZURE_APP_SERVICE_SWAP_SERVICE_PRINCIPAL: + # These secrets are for OpenID Connect-based authentication with Azure services through the azure/login action + # (proxied by our login-to-azure action below). Check out its documentation on how these secrets are used: + # https://github.com/azure/login. + AZURE_APP_SERVICE_SWAP_SERVICE_PRINCIPAL_ID: + required: true + description: > + The Application (client) ID of the Azure Service Principal or Managed Credential, which will be mapped to the + client-id parameter when calling azure/login. + AZURE_APP_SERVICE_SWAP_AZURE_TENANT_ID: required: true + description: > + The Tenant (Directory) ID of the Microsoft Entra ID tenant, which will be mapped to the tenant-id parameter + when calling azure/login. + AZURE_APP_SERVICE_SWAP_AZURE_SUBSCRIPTION_ID: + required: true + description: > + The ID of the Azure Subscription the resources are under, which will be mapped to the subscription-id + parameter when calling azure/login. You can look this up e.g. in the Azure Portal under any resource or the + subscription itself. + inputs: cancel-workflow-on-failure: description: When set to "true", will cancel the current workflow run with all jobs if this workflow fails. @@ -52,6 +74,7 @@ jobs: swap-azure-web-app-slots: runs-on: ${{ inputs.machine-type }} name: Swap Azure Web App Slots + environment: ${{ inputs.destination-slot-name }} defaults: run: shell: pwsh @@ -60,7 +83,9 @@ jobs: - name: Login to Azure uses: Lombiq/GitHub-Actions/.github/actions/login-to-azure@dev env: - SERVICE_PRINCIPAL: ${{ secrets.AZURE_APP_SERVICE_SWAP_SERVICE_PRINCIPAL }} + AZURE_CLIENT_ID: ${{ secrets.AZURE_APP_SERVICE_SWAP_SERVICE_PRINCIPAL_ID }} + AZURE_TENANT_ID: ${{ secrets.AZURE_APP_SERVICE_SWAP_AZURE_TENANT_ID }} + AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_APP_SERVICE_SWAP_AZURE_SUBSCRIPTION_ID }} - name: Initialize PowerShell modules uses: Lombiq/Infrastructure-Scripts/.github/actions/initialize@dev diff --git a/.github/workflows/swap-orchard1-azure-web-app-slots.yml b/.github/workflows/swap-orchard1-azure-web-app-slots.yml index d08786015..ff9a4e63d 100644 --- a/.github/workflows/swap-orchard1-azure-web-app-slots.yml +++ b/.github/workflows/swap-orchard1-azure-web-app-slots.yml @@ -3,13 +3,36 @@ name: Swap Azure Web App Slots concurrency: group: AzureSwapAppSlots +permissions: + id-token: write + contents: read + on: workflow_call: secrets: - AZURE_APP_SERVICE_SWAP_SERVICE_PRINCIPAL: + # These secrets are for OpenID Connect-based authentication with Azure services through the azure/login action + # (proxied by our login-to-azure action below). Check out its documentation on how these secrets are used: + # https://github.com/azure/login. + AZURE_APP_SERVICE_SWAP_SERVICE_PRINCIPAL_ID: + required: true + description: > + The Application (client) ID of the Azure Service Principal or Managed Credential, which will be mapped to the + client-id parameter when calling azure/login. + AZURE_APP_SERVICE_SWAP_AZURE_TENANT_ID: + required: true + description: > + The Tenant (Directory) ID of the Microsoft Entra ID tenant, which will be mapped to the tenant-id parameter + when calling azure/login. + AZURE_APP_SERVICE_SWAP_AZURE_SUBSCRIPTION_ID: required: true + description: > + The ID of the Azure Subscription the resources are under, which will be mapped to the subscription-id + parameter when calling azure/login. You can look this up e.g. in the Azure Portal under any resource or the + subscription itself. + MAINTENANCE_USER_NAME: MAINTENANCE_PASSWORD: + inputs: cancel-workflow-on-failure: description: When set to "true", will cancel the current workflow run with all jobs if this workflow fails. @@ -62,6 +85,7 @@ jobs: swap-azure-web-app-slots: runs-on: ${{ inputs.machine-type }} name: Swap Azure Web App Slots + environment: ${{ inputs.destination-slot-name }} defaults: run: shell: pwsh @@ -70,7 +94,9 @@ jobs: - name: Login to Azure uses: Lombiq/GitHub-Actions/.github/actions/login-to-azure@dev env: - SERVICE_PRINCIPAL: ${{ secrets.AZURE_APP_SERVICE_SWAP_SERVICE_PRINCIPAL }} + AZURE_CLIENT_ID: ${{ secrets.AZURE_APP_SERVICE_SWAP_SERVICE_PRINCIPAL_ID }} + AZURE_TENANT_ID: ${{ secrets.AZURE_APP_SERVICE_SWAP_AZURE_TENANT_ID }} + AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_APP_SERVICE_SWAP_AZURE_SUBSCRIPTION_ID }} - name: Initialize PowerShell modules uses: Lombiq/Infrastructure-Scripts/.github/actions/initialize@dev diff --git a/.github/workflows/test-analysis-failure.yml b/.github/workflows/test-analysis-failure.yml index ef3212dfe..70f88aaf9 100644 --- a/.github/workflows/test-analysis-failure.yml +++ b/.github/workflows/test-analysis-failure.yml @@ -5,6 +5,7 @@ on: workflow_call: secrets: CHECKOUT_TOKEN: + required: false description: > The GitHub token to authenticate checkout. Pass in a GitHub personal access token if authenticated submodules are used. diff --git a/.github/workflows/validate-pull-request.yml b/.github/workflows/validate-pull-request.yml index 2563e581a..cddf6b899 100644 --- a/.github/workflows/validate-pull-request.yml +++ b/.github/workflows/validate-pull-request.yml @@ -5,6 +5,7 @@ on: secrets: # We can't access org secrets here so they must be passed in. JIRA_BASE_URL: + required: false description: > Configure as explained under https://github.com/marketplace/actions/jira-login#enviroment-variables. Note that it must NOT end with a slash. diff --git a/.github/workflows/validate-submodule-pull-request.yml b/.github/workflows/validate-submodule-pull-request.yml index 8b0071875..abcad9416 100644 --- a/.github/workflows/validate-submodule-pull-request.yml +++ b/.github/workflows/validate-submodule-pull-request.yml @@ -5,6 +5,7 @@ on: # We can't access org secrets here so they must be passed in. secrets: JIRA_BASE_URL: + required: false description: > Configure as explained under https://github.com/marketplace/actions/jira-login#enviroment-variables. Note that it must NOT end with a slash. diff --git a/Docs/Workflows.md b/Docs/Workflows.md index e8e1633f3..544d2f799 100644 --- a/Docs/Workflows.md +++ b/Docs/Workflows.md @@ -175,7 +175,7 @@ Refer to [Github Actions reusable workflows](https://docs.github.com/en/actions/ ## Deploy to Azure App Service workflow -This workflow builds and publishes a .NET web project and then deploys the app to [Azure App Service](https://azure.microsoft.com/en-us/services/app-service/). The workflow also supports [Ready to Run compilation](https://learn.microsoft.com/en-us/dotnet/core/deploying/ready-to-run). [Release annotations](https://learn.microsoft.com/en-us/azure/azure-monitor/app/annotations) are added to the corresponding Azure Application Insights resource. Example _deploy-to-azure-app-service.yml_: +This workflow builds and publishes a .NET web project and then deploys the app to [Azure App Service](https://azure.microsoft.com/en-us/services/app-service/). Requires [the repository to have an environment](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment) with a name that matches the `slot-name` parameter. The workflow also supports [Ready to Run compilation](https://learn.microsoft.com/en-us/dotnet/core/deploying/ready-to-run). [Release annotations](https://learn.microsoft.com/en-us/azure/azure-monitor/app/annotations) are added to the corresponding Azure Application Insights resource. Example _deploy-to-azure-app-service.yml_: ```yaml name: Deploy to Azure App Service @@ -191,6 +191,7 @@ jobs: timeout-minutes: 60 app-name: AppName resource-group-name: ResourceGroupName + # This is also the default slot name but here's how you can configure it. slot-name: Staging url: https://www.myapp.com runtime: win-x86 @@ -198,7 +199,9 @@ jobs: ready-to-run: true application-insights-resource-id: "Azure resource ID of the corresponding AI resource" secrets: - AZURE_APP_SERVICE_DEPLOYMENT_SERVICE_PRINCIPAL: ${{ secrets.AZURE_APP_SERVICE_DEPLOYMENT_SERVICE_PRINCIPAL }} + AZURE_APP_SERVICE_DEPLOYMENT_SERVICE_PRINCIPAL_ID: ${{ secrets.AZURE_APP_SERVICE_DEPLOYMENT_SERVICE_PRINCIPAL_ID }} + AZURE_APP_SERVICE_DEPLOYMENT_AZURE_TENANT_ID: ${{ secrets.AZURE_APP_SERVICE_DEPLOYMENT_AZURE_TENANT_ID }} + AZURE_APP_SERVICE_DEPLOYMENT_AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_APP_SERVICE_DEPLOYMENT_AZURE_SUBSCRIPTION_ID }} AZURE_APP_SERVICE_PUBLISH_PROFILE: ${{ secrets.AZURE_APP_SERVICE_PUBLISH_PROFILE }} ``` @@ -276,7 +279,7 @@ jobs: ## Reset Azure Environment workflow -This workflow resets an Azure Environment, by replacing the Orchard Core Media Library and the Database with the ones from a given source slot. Optionally, [release annotations](https://learn.microsoft.com/en-us/azure/azure-monitor/app/annotations) can be added to the corresponding Azure Application Insights resource. Example _reset-azure-environment.yml_: +This workflow resets an Azure Environment, by replacing the Orchard Core Media Library and the Database with the ones from a given source slot. Requires [the repository to have an environment](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment) with a name that matches the `destination-slot-name` parameter. Optionally, [release annotations](https://learn.microsoft.com/en-us/azure/azure-monitor/app/annotations) can be added to the corresponding Azure Application Insights resource. Example _reset-azure-environment.yml_: ```yaml name: Reset Azure Environment @@ -292,16 +295,21 @@ jobs: timeout-minutes: 60 app-name: AppName resource-group-name: ResourceGroupName + # These are also the default slot names but here's how you can configure them. + source-slot-name: Production + destination-slot-name: Staging database-connection-string-name: Database__ConnectionString master-database-connection-string-name: Database__ConnectionString-master storage-connection-string-name: Storage_ConnectionString secrets: - AZURE_APP_SERVICE_RESET_SERVICE_PRINCIPAL: ${{ secrets.AZURE_APP_RESET_ENVIRONMENT_SERVICE_PRINCIPAL }} + AZURE_APP_SERVICE_RESET_SERVICE_PRINCIPAL_ID: ${{ secrets.AZURE_APP_SERVICE_RESET_SERVICE_PRINCIPAL_ID }} + AZURE_APP_SERVICE_RESET_AZURE_TENANT_ID: ${{ secrets.AZURE_APP_SERVICE_RESET_AZURE_TENANT_ID }} + AZURE_APP_SERVICE_RESET_AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_APP_SERVICE_RESET_AZURE_SUBSCRIPTION_ID }} ``` ## Swap Azure Web App Slots workflow -This workflow swaps two Azure Web App Slots associated with an Azure Web App. [Release annotations](https://learn.microsoft.com/en-us/azure/azure-monitor/app/annotations) are added to the corresponding Azure Application Insights resource. Example _swap-azure-web-app-slots.yml_: +This workflow swaps two Azure Web App Slots associated with an Azure Web App. Requires [the repository to have an environment](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment) with a name that matches the `destination-slot-name` parameter. [Release annotations](https://learn.microsoft.com/en-us/azure/azure-monitor/app/annotations) are added to the corresponding Azure Application Insights resource. Example _swap-azure-web-app-slots.yml_: ```yaml name: Swap Azure Web App Slots @@ -317,13 +325,18 @@ jobs: timeout-minutes: 10 app-name: AppName resource-group-name: ResourceGroupName + # These are also the default slot names but here's how you can configure them. + source-slot-name: Staging + destination-slot-name: Production application-insights-resource-id: "Azure resource ID of the corresponding AI resource" secrets: - AZURE_APP_SERVICE_SWAP_SERVICE_PRINCIPAL: ${{ secrets.AZURE_APP_SWAP_WEB_APP_SLOTS_SERVICE_PRINCIPAL }} + AZURE_APP_SERVICE_SWAP_SERVICE_PRINCIPAL_ID: ${{ secrets.AZURE_APP_SERVICE_SWAP_SERVICE_PRINCIPAL_ID }} + AZURE_APP_SERVICE_SWAP_AZURE_TENANT_ID: ${{ secrets.AZURE_APP_SERVICE_SWAP_AZURE_TENANT_ID }} + AZURE_APP_SERVICE_SWAP_AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_APP_SERVICE_SWAP_AZURE_SUBSCRIPTION_ID }} ``` -To restrict who can run the swap workflow, we recommend putting it into its own repository. [GitHub environments](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment) would be better, because they not only provide [a nice display of what's currently deployed where](https://docs.github.com/en/actions/deployment/managing-your-deployments/viewing-deployment-history), but allow secrets specific to environments like staging/production, and also can have required reviewers (i.e. not everyone is able to run a swap who has write access to the repository). However, this latter one is [only available under the Enterprise plan](https://github.com/orgs/community/discussions/26262). (Branch protection rules are not a suitable substitute.) +To restrict who can edit or run the Swap workflow, we recommend putting into a separate repository independent of your application code. If you're [on the Enterprise plan, you can add required reviewers](https://github.com/orgs/community/discussions/26262) instead, so that not everyone is able to run a swap who has write access to the repository. This workflow has an alternate version (_swap-orchard1-azure-web-app-slots.yml_) designed for Orchard 1-based applications.