chore: Update remaining workflows to use federated credentials

Azure · Jun 19, 2024 · 6edc23e · 6edc23e
1 parent c334a36
commit 6edc23e
Show file tree

Hide file tree

Showing 11 changed files with 55 additions and 11 deletions.
diff --git a/.github/workflows/automated-cleanup-resources.yml b/.github/workflows/automated-cleanup-resources.yml
@@ -10,6 +10,8 @@ on:
       - .github/workflows/automated-cleanup-resources.yml
       - infra/bootstrapping/**
       - infra/scripts/**
+permissions:
+  id-token: write
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
@@ -26,7 +28,9 @@ jobs:
     - name: azure login
       uses: azure/login@v1
       with:
-        creds: ${{secrets.AZUREML_CREDENTIALS}}
+        client-id: ${{ secrets.OIDC_AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.OIDC_AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.OIDC_AZURE_SUBSCRIPTION_ID }}
         enable-AzPSSession: true
       continue-on-error: true
     - name: "Install Az Modules"

diff --git a/.github/workflows/bootstrapping-infra.yml b/.github/workflows/bootstrapping-infra.yml
@@ -24,6 +24,8 @@ on:
       - cli/**
       - infra/bootstrapping/**
 
+permissions:
+  id-token: write
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
@@ -46,7 +48,9 @@ jobs:
     - name: azure login
       uses: azure/login@v1
       with:
-        creds: ${{secrets.AZUREML_CREDENTIALS}}
+        client-id: ${{ secrets.OIDC_AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.OIDC_AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.OIDC_AZURE_SUBSCRIPTION_ID }}
     - name: bootstrap infra resources
       run: |
           [[ -z "${RUN_BOOTSTRAP:-}" ]] && RUN_BOOTSTRAP='true'

diff --git a/.github/workflows/bootstrapping-resources.yml b/.github/workflows/bootstrapping-resources.yml
@@ -11,6 +11,8 @@ on:
       - .github/workflows/bootstrapping-resources.yml
       - cli/**
       - infra/bootstrapping/**
+permissions:
+  id-token: write
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
@@ -29,7 +31,9 @@ jobs:
     - name: azure login
       uses: azure/login@v1
       with:
-        creds: ${{secrets.AZUREML_CREDENTIALS}}
+        client-id: ${{ secrets.OIDC_AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.OIDC_AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.OIDC_AZURE_SUBSCRIPTION_ID }}
     - name: bootstrap resources
       run: |
           echo '${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}';

diff --git a/.github/workflows/cli-assets-environment-docker-image-plus-conda.yaml b/.github/workflows/cli-assets-environment-docker-image-plus-conda.yaml
@@ -16,6 +16,8 @@ on:
       - infra/bootstrapping/**
       - .github/workflows/cli-assets-environment-docker-image-plus-conda.yaml
       - cli/setup.sh
+permissions:
+  id-token: write
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
@@ -28,7 +30,9 @@ jobs:
     - name: azure login
       uses: azure/login@v1
       with:
-        creds: ${{secrets.AZUREML_CREDENTIALS}}
+        client-id: ${{ secrets.OIDC_AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.OIDC_AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.OIDC_AZURE_SUBSCRIPTION_ID }}
     - name: bootstrap resources
       run: |
           bash bootstrap.sh

diff --git a/.github/workflows/cli-foundation-models-azure_openai-oai-v1-openai_completions_finetune.yml b/.github/workflows/cli-foundation-models-azure_openai-oai-v1-openai_completions_finetune.yml
@@ -19,6 +19,8 @@ on:
       - infra/bootstrapping/**
       - cli/run-pipeline-jobs.sh
       - cli/setup.sh
+permissions:
+  id-token: write
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
@@ -31,7 +33,9 @@ jobs:
     - name: azure login
       uses: azure/login@v1
       with:
-        creds: ${{secrets.AZUREML_CREDENTIALS}}
+        client-id: ${{ secrets.OIDC_AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.OIDC_AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.OIDC_AZURE_SUBSCRIPTION_ID }}
     - name: bootstrap resources
       run: |
           echo '${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}';

diff --git a/.github/workflows/cli-scripts-deploy-moe-vnet-mlflow.yml b/.github/workflows/cli-scripts-deploy-moe-vnet-mlflow.yml
@@ -16,6 +16,8 @@ on:
       - infra/bootstrapping/**
       - .github/workflows/cli-scripts-deploy-moe-vnet-mlflow.yml
       - cli/setup.sh
+permissions:
+  id-token: write
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
@@ -28,7 +30,9 @@ jobs:
     - name: azure login
       uses: azure/login@v1
       with:
-        creds: ${{secrets.AZUREML_CREDENTIALS}}
+        client-id: ${{ secrets.OIDC_AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.OIDC_AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.OIDC_AZURE_SUBSCRIPTION_ID }}
     - name: bootstrap resources
       run: |
           bash bootstrap.sh

diff --git a/.github/workflows/cli-scripts-deploy-moe-vnet.yml b/.github/workflows/cli-scripts-deploy-moe-vnet.yml
@@ -16,6 +16,8 @@ on:
       - infra/bootstrapping/**
       - .github/workflows/cli-scripts-deploy-moe-vnet.yml
       - cli/setup.sh
+permissions:
+  id-token: write
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
@@ -28,7 +30,9 @@ jobs:
     - name: azure login
       uses: azure/login@v1
       with:
-        creds: ${{secrets.AZUREML_CREDENTIALS}}
+        client-id: ${{ secrets.OIDC_AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.OIDC_AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.OIDC_AZURE_SUBSCRIPTION_ID }}
     - name: bootstrap resources
       run: |
           bash bootstrap.sh

diff --git a/.github/workflows/nyc_taxi_data_regression-env_train.yml b/.github/workflows/nyc_taxi_data_regression-env_train.yml
@@ -12,6 +12,8 @@ on:
       - infra/bootstrapping/**
       - .github/workflows/nyc_taxi_data_regression-env_train.yml
       - cli/setup.sh
+permissions:
+  id-token: write
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
@@ -24,7 +26,9 @@ jobs:
     - name: azure login
       uses: azure/login@v1
       with:
-        creds: ${{secrets.AZUREML_CREDENTIALS}}
+        client-id: ${{ secrets.OIDC_AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.OIDC_AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.OIDC_AZURE_SUBSCRIPTION_ID }}
     - name: bootstrap resources
       run: |
           bash bootstrap.sh

diff --git a/...ub/workflows/sdk-foundation-models-system-import-import_model_into_registry_new_model.yml b/...ub/workflows/sdk-foundation-models-system-import-import_model_into_registry_new_model.yml
@@ -19,6 +19,8 @@ env:
   TASK_NAME: fill-mask
   MMDETECTION_MODEL_ID: None
   MMDETECTION_TASK_NAME: image-object-detection
+permissions:
+  id-token: write
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
@@ -37,7 +39,9 @@ jobs:
     - name: azure login
       uses: azure/login@v1
       with:
-        creds: ${{secrets.AZUREML_CREDENTIALS}}
+        client-id: ${{ secrets.OIDC_AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.OIDC_AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.OIDC_AZURE_SUBSCRIPTION_ID }}
     - name: bootstrap resources
       run: |
           echo '${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}';

diff --git a/.../sdk-foundation-models-system-import-import_model_into_registry_new_model_image_tasks.yml b/.../sdk-foundation-models-system-import-import_model_into_registry_new_model_image_tasks.yml
@@ -19,6 +19,8 @@ env:
   TASK_NAME: image-classification
   MMDETECTION_MODEL_ID: faster-rcnn_r50_fpn_1x_coco
   MMDETECTION_TASK_NAME: image-object-detection
+permissions:
+  id-token: write
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
@@ -37,7 +39,9 @@ jobs:
     - name: azure login
       uses: azure/login@v1
       with:
-        creds: ${{secrets.AZUREML_CREDENTIALS}}
+        client-id: ${{ secrets.OIDC_AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.OIDC_AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.OIDC_AZURE_SUBSCRIPTION_ID }}
     - name: bootstrap resources
       run: |
           echo '${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}';

diff --git a/...ml-forecasting-demand-hierarchical-timesers-in-pipeline-automl-forecasting-demand-hts.yml b/...ml-forecasting-demand-hierarchical-timesers-in-pipeline-automl-forecasting-demand-hts.yml
@@ -19,6 +19,8 @@ on:
       - sdk/python/dev-requirements.txt
       - infra/bootstrapping/**
       - sdk/python/setup.sh
+permissions:
+  id-token: write
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
@@ -37,7 +39,9 @@ jobs:
     - name: azure login
       uses: azure/login@v1
       with:
-        creds: ${{secrets.AZUREML_CREDENTIALS}}
+        client-id: ${{ secrets.OIDC_AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.OIDC_AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.OIDC_AZURE_SUBSCRIPTION_ID }}
     - name: bootstrap resources
       run: |
           echo '${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}';