OSOE-688: Azure authentication with Service Principal Federated Credentials

.github/actions/login-to-azure/action.yml

@@ -1,9 +1,9 @@
 name: Login to Azure
 description: >
-  Logs in to Azure using a service principal. After a successful login, the action will set up the necessary credentials
-  and environment variables for the service to be able to access Azure resources. The service can then use these
-  credentials to make API calls to Azure services. Intentionally not documented in Actions.md since it's only meant for
-  internal use.
+  Logs in to Azure using OpenID Connect by impersonating a Service Principal or Managed Credential. After a successful
+  login, the action will set up the necessary credentials and environment variables for the service to be able to access
+  Azure resources. The service can then use these credentials to make API calls to Azure services. Intentionally not
+  documented in Actions.md since it's only meant for internal use.
 
 inputs:
   enable-az-ps-session:
@@ -18,5 +18,7 @@ runs:
       # v1.4.6
       uses: azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2
       with:
-        creds: ${{ env.SERVICE_PRINCIPAL }}
+        client-id: ${{ env.AZURE_CLIENT_ID }}
+        tenant-id: ${{ env.AZURE_TENANT_ID }}
+        subscription-id: ${{ env.AZURE_SUBSCRIPTION_ID }}
         enable-AzPSSession: ${{ inputs.enable-az-ps-session }}

.github/workflows/build-and-test-dotnet.yml

@@ -4,6 +4,7 @@ on:
   workflow_call:
     secrets:
       CHECKOUT_TOKEN:
+        required: false
         description: >
           The GitHub token to authenticate checkout. Pass in a GitHub personal access token if authenticated submodules
           are used.

.github/workflows/build-and-test-orchard-core.yml

@@ -4,6 +4,7 @@ on:
   workflow_call:
     secrets:
       CHECKOUT_TOKEN:
+        required: false
         description: >
           The GitHub token to authenticate checkout. Pass in a GitHub personal access token if authenticated submodules
           are used.

.github/workflows/build-dotnet.yml

@@ -5,6 +5,7 @@ on:
   workflow_call:
     secrets:
       CHECKOUT_TOKEN:
+        required: false
         description: >
           The GitHub token to authenticate checkout. Pass in a GitHub personal access token if authenticated submodules
           are used.

.github/workflows/create-jira-issues-for-community-activities.yml

@@ -19,14 +19,17 @@ on:
         required: true
         description: The project key in JIRA, i.e. the prefix of issue keys (the "KEY" part of KEY-123).
       DISCUSSION_JIRA_ISSUE_DESCRIPTION:
+        required: false
         description: >
           Template for the Jira issues to be created for GitHub discussions, using the internal markup format of Jira
           (not Markdown). See the documentation for details.
       ISSUE_JIRA_ISSUE_DESCRIPTION:
+        required: false
         description: >
           Template for the Jira issues to be created for GitHub issues, using the internal markup format of Jira (not
           Markdown). See the documentation for details.
       PULL_REQUEST_JIRA_ISSUE_DESCRIPTION:
+        required: false
         description: >
           Template for the Jira issues to be created for GitHub pull requests, using the internal markup format of Jira
           (not Markdown). See the documentation for details.

.github/workflows/deploy-orchard1-to-azure-app-service.yml

@@ -3,17 +3,42 @@ name: Deploy Orchard 1 to Azure App Service
 concurrency:
   group: AzureDeployApp
 
+permissions:
+  id-token: write
+  contents: read
+
 on:
   workflow_call:
     secrets:
       CHECKOUT_TOKEN:
+        required: false
         description: >
           The GitHub token to authenticate checkout. Pass in a GitHub personal access token if authenticated submodules
           are used.
-      AZURE_APP_SERVICE_DEPLOYMENT_SERVICE_PRINCIPAL:
+
+      # These secrets are for OpenID Connect-based authentication with Azure services through the azure/login action
+      # (proxied by our login-to-azure action below). Check out its documentation on how these secrets are used:
+      # https://github.com/azure/login.
+      AZURE_APP_SERVICE_DEPLOYMENT_SERVICE_PRINCIPAL_ID:
         required: true
+        description: >
+          The Application (client) ID of the Azure Service Principal or Managed Credential, which will be mapped to the
+          client-id parameter when calling azure/login.
+      AZURE_APP_SERVICE_DEPLOYMENT_AZURE_TENANT_ID:
+        required: true
+        description: >
+          The Tenant (Directory) ID of the Microsoft Entra ID tenant, which will be mapped to the tenant-id parameter
+          when calling azure/login.
+      AZURE_APP_SERVICE_DEPLOYMENT_AZURE_SUBSCRIPTION_ID:
+        required: true
+        description: >
+          The ID of the Azure Subscription the resources are under, which will be mapped to the subscription-id
+          parameter when calling azure/login. You can look this up e.g. in the Azure Portal under any resource or the
+          subscription itself.
+
       AZURE_APP_SERVICE_PUBLISH_PROFILE:
         required: true
+
       MAINTENANCE_USER_NAME:
       MAINTENANCE_PASSWORD:
 
@@ -90,6 +115,7 @@ jobs:
   deploy:
     runs-on: ${{ inputs.machine-type }}
     name: Deploy to Azure App Service
+    environment: ${{ inputs.slot-name }}
     defaults:
       run:
         shell: pwsh
@@ -122,7 +148,9 @@ jobs:
       - name: Login to Azure
         uses: Lombiq/GitHub-Actions/.github/actions/login-to-azure@dev
         env:
-          SERVICE_PRINCIPAL: ${{ secrets.AZURE_APP_SERVICE_DEPLOYMENT_SERVICE_PRINCIPAL }}
+          AZURE_CLIENT_ID: ${{ secrets.AZURE_APP_SERVICE_DEPLOYMENT_SERVICE_PRINCIPAL_ID }}
+          AZURE_TENANT_ID: ${{ secrets.AZURE_APP_SERVICE_DEPLOYMENT_AZURE_TENANT_ID }}
+          AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_APP_SERVICE_DEPLOYMENT_AZURE_SUBSCRIPTION_ID }}
 
       - name: Initialize PowerShell modules
         uses: Lombiq/Infrastructure-Scripts/.github/actions/initialize@dev

.github/workflows/deploy-to-azure-app-service.yml

@@ -3,15 +3,39 @@ name: Deploy to Azure App Service
 concurrency:
   group: AzureDeployApp
 
+permissions:
+  id-token: write
+  contents: read
+
 on:
   workflow_call:
     secrets:
       CHECKOUT_TOKEN:
+        required: false
         description: >
           The GitHub token to authenticate checkout. Pass in a GitHub personal access token if authenticated submodules
           are used.
-      AZURE_APP_SERVICE_DEPLOYMENT_SERVICE_PRINCIPAL:
+
+      # These secrets are for OpenID Connect-based authentication with Azure services through the azure/login action
+      # (proxied by our login-to-azure action below). Check out its documentation on how these secrets are used:
+      # https://github.com/azure/login.
+      AZURE_APP_SERVICE_DEPLOYMENT_SERVICE_PRINCIPAL_ID:
+        required: true
+        description: >
+          The Application (client) ID of the Azure Service Principal or Managed Credential, which will be mapped to the
+          client-id parameter when calling azure/login.
+      AZURE_APP_SERVICE_DEPLOYMENT_AZURE_TENANT_ID:
         required: true
+        description: >
+          The Tenant (Directory) ID of the Microsoft Entra ID tenant, which will be mapped to the tenant-id parameter
+          when calling azure/login.
+      AZURE_APP_SERVICE_DEPLOYMENT_AZURE_SUBSCRIPTION_ID:
+        required: true
+        description: >
+          The ID of the Azure Subscription the resources are under, which will be mapped to the subscription-id
+          parameter when calling azure/login. You can look this up e.g. in the Azure Portal under any resource or the
+          subscription itself.
+
       AZURE_APP_SERVICE_PUBLISH_PROFILE:
         required: true
 
@@ -113,6 +137,7 @@ jobs:
   deploy:
     runs-on: ${{ inputs.machine-type }}
     name: Deploy to Azure App Service
+    environment: ${{ inputs.slot-name }}
     defaults:
       run:
         shell: pwsh
@@ -172,7 +197,9 @@ jobs:
       - name: Login to Azure
         uses: Lombiq/GitHub-Actions/.github/actions/login-to-azure@dev
         env:
-          SERVICE_PRINCIPAL: ${{ secrets.AZURE_APP_SERVICE_DEPLOYMENT_SERVICE_PRINCIPAL }}
+          AZURE_CLIENT_ID: ${{ secrets.AZURE_APP_SERVICE_DEPLOYMENT_SERVICE_PRINCIPAL_ID }}
+          AZURE_TENANT_ID: ${{ secrets.AZURE_APP_SERVICE_DEPLOYMENT_AZURE_TENANT_ID }}
+          AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_APP_SERVICE_DEPLOYMENT_AZURE_SUBSCRIPTION_ID }}
 
       - name: Initialize PowerShell modules
         uses: Lombiq/Infrastructure-Scripts/.github/actions/initialize@dev

.github/workflows/msbuild-and-test.yml

@@ -4,6 +4,7 @@ on:
   workflow_call:
     secrets:
       CHECKOUT_TOKEN:
+        required: false
         description: >
           The GitHub token to authenticate checkout. Pass in a GitHub personal access token if authenticated submodules
           are used.

.github/workflows/post-pull-request-checks-automation.yml

@@ -5,6 +5,7 @@ on:
     secrets:
       # We can't access org secrets here so they need to be passed in.
       MERGE_TOKEN:
+        required: false
         description: >
           An authentication token, like a personal access token (PAT), that provides write access to the repository and
           can be used to merge the pull request. This is necessary because when a pull request is merged while being

.github/workflows/publish-nuget.yml

@@ -4,6 +4,7 @@ on:
   workflow_call:
     secrets:
       CHECKOUT_TOKEN:
+        required: false
         description: >
           The GitHub token to authenticate checkout. Pass in a GitHub personal access token if authenticated submodules
           are used.

.github/workflows/reset-azure-environment.yml

@@ -3,13 +3,36 @@ name: Reset Azure Environment
 concurrency:
   group: AzureResetEnvironment
 
+permissions:
+  id-token: write
+  contents: read
+
 on:
   workflow_call:
     secrets:
-      AZURE_APP_SERVICE_RESET_SERVICE_PRINCIPAL:
+      # These secrets are for OpenID Connect-based authentication with Azure services through the azure/login action
+      # (proxied by our login-to-azure action below). Check out its documentation on how these secrets are used:
+      # https://github.com/azure/login.
+      AZURE_APP_SERVICE_RESET_SERVICE_PRINCIPAL_ID:
+        required: true
+        description: >
+          The Application (client) ID of the Azure Service Principal or Managed Credential, which will be mapped to the
+          client-id parameter when calling azure/login.
+      AZURE_APP_SERVICE_RESET_AZURE_TENANT_ID:
+        required: true
+        description: >
+          The Tenant (Directory) ID of the Microsoft Entra ID tenant, which will be mapped to the tenant-id parameter
+          when calling azure/login.
+      AZURE_APP_SERVICE_RESET_AZURE_SUBSCRIPTION_ID:
         required: true
+        description: >
+          The ID of the Azure Subscription the resources are under, which will be mapped to the subscription-id
+          parameter when calling azure/login. You can look this up e.g. in the Azure Portal under any resource or the
+          subscription itself.
+
       MAINTENANCE_USER_NAME:
       MAINTENANCE_PASSWORD:
+
     inputs:
       cancel-workflow-on-failure:
         description: When set to "true", will cancel the current workflow run with all jobs if this workflow fails.
@@ -120,6 +143,7 @@ jobs:
   reset-azure-environment:
     runs-on: ${{ inputs.machine-type }}
     name: Reset Azure Environment
+    environment: ${{ inputs.destination-slot-name }}
     defaults:
       run:
         shell: pwsh
@@ -128,7 +152,9 @@ jobs:
       - name: Login to Azure
         uses: Lombiq/GitHub-Actions/.github/actions/login-to-azure@dev
         env:
-          SERVICE_PRINCIPAL: ${{ secrets.AZURE_APP_SERVICE_RESET_SERVICE_PRINCIPAL }}
+          AZURE_CLIENT_ID: ${{ secrets.AZURE_APP_SERVICE_RESET_SERVICE_PRINCIPAL_ID }}
+          AZURE_TENANT_ID: ${{ secrets.AZURE_APP_SERVICE_RESET_AZURE_TENANT_ID }}
+          AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_APP_SERVICE_RESET_AZURE_SUBSCRIPTION_ID }}
 
       - name: Initialize PowerShell modules
         uses: Lombiq/Infrastructure-Scripts/.github/actions/initialize@dev

.github/workflows/spelling.yml

@@ -4,6 +4,7 @@ on:
   workflow_call:
     secrets:
       CHECKOUT_TOKEN:
+        required: false
         description: >
           The GitHub token to authenticate checkout. Pass in a GitHub personal access token if authenticated submodules
           are used.

.github/workflows/swap-azure-web-app-slots.yml

@@ -3,11 +3,33 @@ name: Swap Azure Web App Slots
 concurrency:
   group: AzureSwapAppSlots
 
+permissions:
+  id-token: write
+  contents: read
+
 on:
   workflow_call:
     secrets:
-      AZURE_APP_SERVICE_SWAP_SERVICE_PRINCIPAL:
+      # These secrets are for OpenID Connect-based authentication with Azure services through the azure/login action
+      # (proxied by our login-to-azure action below). Check out its documentation on how these secrets are used:
+      # https://github.com/azure/login.
+      AZURE_APP_SERVICE_SWAP_SERVICE_PRINCIPAL_ID:
+        required: true
+        description: >
+          The Application (client) ID of the Azure Service Principal or Managed Credential, which will be mapped to the
+          client-id parameter when calling azure/login.
+      AZURE_APP_SERVICE_SWAP_AZURE_TENANT_ID:
         required: true
+        description: >
+          The Tenant (Directory) ID of the Microsoft Entra ID tenant, which will be mapped to the tenant-id parameter
+          when calling azure/login.
+      AZURE_APP_SERVICE_SWAP_AZURE_SUBSCRIPTION_ID:
+        required: true
+        description: >
+          The ID of the Azure Subscription the resources are under, which will be mapped to the subscription-id
+          parameter when calling azure/login. You can look this up e.g. in the Azure Portal under any resource or the
+          subscription itself.
+
     inputs:
       cancel-workflow-on-failure:
         description: When set to "true", will cancel the current workflow run with all jobs if this workflow fails.
@@ -52,6 +74,7 @@ jobs:
   swap-azure-web-app-slots:
     runs-on: ${{ inputs.machine-type }}
     name: Swap Azure Web App Slots
+    environment: ${{ inputs.destination-slot-name }}
     defaults:
       run:
         shell: pwsh
@@ -60,7 +83,9 @@ jobs:
       - name: Login to Azure
         uses: Lombiq/GitHub-Actions/.github/actions/login-to-azure@dev
         env:
-          SERVICE_PRINCIPAL: ${{ secrets.AZURE_APP_SERVICE_SWAP_SERVICE_PRINCIPAL }}
+          AZURE_CLIENT_ID: ${{ secrets.AZURE_APP_SERVICE_SWAP_SERVICE_PRINCIPAL_ID }}
+          AZURE_TENANT_ID: ${{ secrets.AZURE_APP_SERVICE_SWAP_AZURE_TENANT_ID }}
+          AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_APP_SERVICE_SWAP_AZURE_SUBSCRIPTION_ID }}
 
       - name: Initialize PowerShell modules
         uses: Lombiq/Infrastructure-Scripts/.github/actions/initialize@dev

.github/workflows/swap-orchard1-azure-web-app-slots.yml

@@ -3,13 +3,36 @@ name: Swap Azure Web App Slots
 concurrency:
   group: AzureSwapAppSlots
 
+permissions:
+  id-token: write
+  contents: read
+
 on:
   workflow_call:
     secrets:
-      AZURE_APP_SERVICE_SWAP_SERVICE_PRINCIPAL:
+      # These secrets are for OpenID Connect-based authentication with Azure services through the azure/login action
+      # (proxied by our login-to-azure action below). Check out its documentation on how these secrets are used:
+      # https://github.com/azure/login.
+      AZURE_APP_SERVICE_SWAP_SERVICE_PRINCIPAL_ID:
+        required: true
+        description: >
+          The Application (client) ID of the Azure Service Principal or Managed Credential, which will be mapped to the
+          client-id parameter when calling azure/login.
+      AZURE_APP_SERVICE_SWAP_AZURE_TENANT_ID:
+        required: true
+        description: >
+          The Tenant (Directory) ID of the Microsoft Entra ID tenant, which will be mapped to the tenant-id parameter
+          when calling azure/login.
+      AZURE_APP_SERVICE_SWAP_AZURE_SUBSCRIPTION_ID:
         required: true
+        description: >
+          The ID of the Azure Subscription the resources are under, which will be mapped to the subscription-id
+          parameter when calling azure/login. You can look this up e.g. in the Azure Portal under any resource or the
+          subscription itself.
+
       MAINTENANCE_USER_NAME:
       MAINTENANCE_PASSWORD:
+
     inputs:
       cancel-workflow-on-failure:
         description: When set to "true", will cancel the current workflow run with all jobs if this workflow fails.
@@ -62,6 +85,7 @@ jobs:
   swap-azure-web-app-slots:
     runs-on: ${{ inputs.machine-type }}
     name: Swap Azure Web App Slots
+    environment: ${{ inputs.destination-slot-name }}
     defaults:
       run:
         shell: pwsh
@@ -70,7 +94,9 @@ jobs:
       - name: Login to Azure
         uses: Lombiq/GitHub-Actions/.github/actions/login-to-azure@dev
         env:
-          SERVICE_PRINCIPAL: ${{ secrets.AZURE_APP_SERVICE_SWAP_SERVICE_PRINCIPAL }}
+          AZURE_CLIENT_ID: ${{ secrets.AZURE_APP_SERVICE_SWAP_SERVICE_PRINCIPAL_ID }}
+          AZURE_TENANT_ID: ${{ secrets.AZURE_APP_SERVICE_SWAP_AZURE_TENANT_ID }}
+          AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_APP_SERVICE_SWAP_AZURE_SUBSCRIPTION_ID }}
 
       - name: Initialize PowerShell modules
         uses: Lombiq/Infrastructure-Scripts/.github/actions/initialize@dev

.github/workflows/test-analysis-failure.yml

@@ -5,6 +5,7 @@ on:
   workflow_call:
     secrets:
       CHECKOUT_TOKEN:
+        required: false
         description: >
           The GitHub token to authenticate checkout. Pass in a GitHub personal access token if authenticated submodules
           are used.