From 6edc23e29c6b43718851584508bedfd806e9e1d3 Mon Sep 17 00:00:00 2001 From: kdestin <101366538+kdestin@users.noreply.github.com> Date: Wed, 19 Jun 2024 14:50:47 -0400 Subject: [PATCH] chore: Update remaining workflows to use federated credentials --- .github/workflows/automated-cleanup-resources.yml | 6 +++++- .github/workflows/bootstrapping-infra.yml | 6 +++++- .github/workflows/bootstrapping-resources.yml | 6 +++++- .../cli-assets-environment-docker-image-plus-conda.yaml | 6 +++++- ...dels-azure_openai-oai-v1-openai_completions_finetune.yml | 6 +++++- .github/workflows/cli-scripts-deploy-moe-vnet-mlflow.yml | 6 +++++- .github/workflows/cli-scripts-deploy-moe-vnet.yml | 6 +++++- .github/workflows/nyc_taxi_data_regression-env_train.yml | 6 +++++- ...s-system-import-import_model_into_registry_new_model.yml | 6 +++++- ...ort-import_model_into_registry_new_model_image_tasks.yml | 6 +++++- ...l-timesers-in-pipeline-automl-forecasting-demand-hts.yml | 6 +++++- 11 files changed, 55 insertions(+), 11 deletions(-) diff --git a/.github/workflows/automated-cleanup-resources.yml b/.github/workflows/automated-cleanup-resources.yml index 76cbd9a5cb1..0b16036ec91 100644 --- a/.github/workflows/automated-cleanup-resources.yml +++ b/.github/workflows/automated-cleanup-resources.yml @@ -10,6 +10,8 @@ on: - .github/workflows/automated-cleanup-resources.yml - infra/bootstrapping/** - infra/scripts/** +permissions: + id-token: write concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true @@ -26,7 +28,9 @@ jobs: - name: azure login uses: azure/login@v1 with: - creds: ${{secrets.AZUREML_CREDENTIALS}} + client-id: ${{ secrets.OIDC_AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.OIDC_AZURE_TENANT_ID }} + subscription-id: ${{ secrets.OIDC_AZURE_SUBSCRIPTION_ID }} enable-AzPSSession: true continue-on-error: true - name: "Install Az Modules" diff --git a/.github/workflows/bootstrapping-infra.yml b/.github/workflows/bootstrapping-infra.yml index 300858233aa..0fa746a8b00 100644 --- a/.github/workflows/bootstrapping-infra.yml +++ b/.github/workflows/bootstrapping-infra.yml @@ -24,6 +24,8 @@ on: - cli/** - infra/bootstrapping/** +permissions: + id-token: write concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true @@ -46,7 +48,9 @@ jobs: - name: azure login uses: azure/login@v1 with: - creds: ${{secrets.AZUREML_CREDENTIALS}} + client-id: ${{ secrets.OIDC_AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.OIDC_AZURE_TENANT_ID }} + subscription-id: ${{ secrets.OIDC_AZURE_SUBSCRIPTION_ID }} - name: bootstrap infra resources run: | [[ -z "${RUN_BOOTSTRAP:-}" ]] && RUN_BOOTSTRAP='true' diff --git a/.github/workflows/bootstrapping-resources.yml b/.github/workflows/bootstrapping-resources.yml index aff1527894f..7a21e94d78a 100644 --- a/.github/workflows/bootstrapping-resources.yml +++ b/.github/workflows/bootstrapping-resources.yml @@ -11,6 +11,8 @@ on: - .github/workflows/bootstrapping-resources.yml - cli/** - infra/bootstrapping/** +permissions: + id-token: write concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true @@ -29,7 +31,9 @@ jobs: - name: azure login uses: azure/login@v1 with: - creds: ${{secrets.AZUREML_CREDENTIALS}} + client-id: ${{ secrets.OIDC_AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.OIDC_AZURE_TENANT_ID }} + subscription-id: ${{ secrets.OIDC_AZURE_SUBSCRIPTION_ID }} - name: bootstrap resources run: | echo '${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}'; diff --git a/.github/workflows/cli-assets-environment-docker-image-plus-conda.yaml b/.github/workflows/cli-assets-environment-docker-image-plus-conda.yaml index e8d250c5aeb..cda6ca158a5 100644 --- a/.github/workflows/cli-assets-environment-docker-image-plus-conda.yaml +++ b/.github/workflows/cli-assets-environment-docker-image-plus-conda.yaml @@ -16,6 +16,8 @@ on: - infra/bootstrapping/** - .github/workflows/cli-assets-environment-docker-image-plus-conda.yaml - cli/setup.sh +permissions: + id-token: write concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true @@ -28,7 +30,9 @@ jobs: - name: azure login uses: azure/login@v1 with: - creds: ${{secrets.AZUREML_CREDENTIALS}} + client-id: ${{ secrets.OIDC_AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.OIDC_AZURE_TENANT_ID }} + subscription-id: ${{ secrets.OIDC_AZURE_SUBSCRIPTION_ID }} - name: bootstrap resources run: | bash bootstrap.sh diff --git a/.github/workflows/cli-foundation-models-azure_openai-oai-v1-openai_completions_finetune.yml b/.github/workflows/cli-foundation-models-azure_openai-oai-v1-openai_completions_finetune.yml index 561be5646f5..9ac0f2c4f39 100644 --- a/.github/workflows/cli-foundation-models-azure_openai-oai-v1-openai_completions_finetune.yml +++ b/.github/workflows/cli-foundation-models-azure_openai-oai-v1-openai_completions_finetune.yml @@ -19,6 +19,8 @@ on: - infra/bootstrapping/** - cli/run-pipeline-jobs.sh - cli/setup.sh +permissions: + id-token: write concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true @@ -31,7 +33,9 @@ jobs: - name: azure login uses: azure/login@v1 with: - creds: ${{secrets.AZUREML_CREDENTIALS}} + client-id: ${{ secrets.OIDC_AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.OIDC_AZURE_TENANT_ID }} + subscription-id: ${{ secrets.OIDC_AZURE_SUBSCRIPTION_ID }} - name: bootstrap resources run: | echo '${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}'; diff --git a/.github/workflows/cli-scripts-deploy-moe-vnet-mlflow.yml b/.github/workflows/cli-scripts-deploy-moe-vnet-mlflow.yml index 0d56eb6fa88..2e1e1fd9305 100644 --- a/.github/workflows/cli-scripts-deploy-moe-vnet-mlflow.yml +++ b/.github/workflows/cli-scripts-deploy-moe-vnet-mlflow.yml @@ -16,6 +16,8 @@ on: - infra/bootstrapping/** - .github/workflows/cli-scripts-deploy-moe-vnet-mlflow.yml - cli/setup.sh +permissions: + id-token: write concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true @@ -28,7 +30,9 @@ jobs: - name: azure login uses: azure/login@v1 with: - creds: ${{secrets.AZUREML_CREDENTIALS}} + client-id: ${{ secrets.OIDC_AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.OIDC_AZURE_TENANT_ID }} + subscription-id: ${{ secrets.OIDC_AZURE_SUBSCRIPTION_ID }} - name: bootstrap resources run: | bash bootstrap.sh diff --git a/.github/workflows/cli-scripts-deploy-moe-vnet.yml b/.github/workflows/cli-scripts-deploy-moe-vnet.yml index b02367a91f5..870c13aff4f 100644 --- a/.github/workflows/cli-scripts-deploy-moe-vnet.yml +++ b/.github/workflows/cli-scripts-deploy-moe-vnet.yml @@ -16,6 +16,8 @@ on: - infra/bootstrapping/** - .github/workflows/cli-scripts-deploy-moe-vnet.yml - cli/setup.sh +permissions: + id-token: write concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true @@ -28,7 +30,9 @@ jobs: - name: azure login uses: azure/login@v1 with: - creds: ${{secrets.AZUREML_CREDENTIALS}} + client-id: ${{ secrets.OIDC_AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.OIDC_AZURE_TENANT_ID }} + subscription-id: ${{ secrets.OIDC_AZURE_SUBSCRIPTION_ID }} - name: bootstrap resources run: | bash bootstrap.sh diff --git a/.github/workflows/nyc_taxi_data_regression-env_train.yml b/.github/workflows/nyc_taxi_data_regression-env_train.yml index 04643ab58b4..20fd7eac0ff 100644 --- a/.github/workflows/nyc_taxi_data_regression-env_train.yml +++ b/.github/workflows/nyc_taxi_data_regression-env_train.yml @@ -12,6 +12,8 @@ on: - infra/bootstrapping/** - .github/workflows/nyc_taxi_data_regression-env_train.yml - cli/setup.sh +permissions: + id-token: write concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true @@ -24,7 +26,9 @@ jobs: - name: azure login uses: azure/login@v1 with: - creds: ${{secrets.AZUREML_CREDENTIALS}} + client-id: ${{ secrets.OIDC_AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.OIDC_AZURE_TENANT_ID }} + subscription-id: ${{ secrets.OIDC_AZURE_SUBSCRIPTION_ID }} - name: bootstrap resources run: | bash bootstrap.sh diff --git a/.github/workflows/sdk-foundation-models-system-import-import_model_into_registry_new_model.yml b/.github/workflows/sdk-foundation-models-system-import-import_model_into_registry_new_model.yml index 55491223634..889c0496a2d 100644 --- a/.github/workflows/sdk-foundation-models-system-import-import_model_into_registry_new_model.yml +++ b/.github/workflows/sdk-foundation-models-system-import-import_model_into_registry_new_model.yml @@ -19,6 +19,8 @@ env: TASK_NAME: fill-mask MMDETECTION_MODEL_ID: None MMDETECTION_TASK_NAME: image-object-detection +permissions: + id-token: write concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true @@ -37,7 +39,9 @@ jobs: - name: azure login uses: azure/login@v1 with: - creds: ${{secrets.AZUREML_CREDENTIALS}} + client-id: ${{ secrets.OIDC_AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.OIDC_AZURE_TENANT_ID }} + subscription-id: ${{ secrets.OIDC_AZURE_SUBSCRIPTION_ID }} - name: bootstrap resources run: | echo '${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}'; diff --git a/.github/workflows/sdk-foundation-models-system-import-import_model_into_registry_new_model_image_tasks.yml b/.github/workflows/sdk-foundation-models-system-import-import_model_into_registry_new_model_image_tasks.yml index 56ed98d402a..34a7bd0775a 100644 --- a/.github/workflows/sdk-foundation-models-system-import-import_model_into_registry_new_model_image_tasks.yml +++ b/.github/workflows/sdk-foundation-models-system-import-import_model_into_registry_new_model_image_tasks.yml @@ -19,6 +19,8 @@ env: TASK_NAME: image-classification MMDETECTION_MODEL_ID: faster-rcnn_r50_fpn_1x_coco MMDETECTION_TASK_NAME: image-object-detection +permissions: + id-token: write concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true @@ -37,7 +39,9 @@ jobs: - name: azure login uses: azure/login@v1 with: - creds: ${{secrets.AZUREML_CREDENTIALS}} + client-id: ${{ secrets.OIDC_AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.OIDC_AZURE_TENANT_ID }} + subscription-id: ${{ secrets.OIDC_AZURE_SUBSCRIPTION_ID }} - name: bootstrap resources run: | echo '${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}'; diff --git a/.github/workflows/sdk-jobs-pipelines-1k_demand_forecasting_with_pipeline_components-automl-forecasting-demand-hierarchical-timesers-in-pipeline-automl-forecasting-demand-hts.yml b/.github/workflows/sdk-jobs-pipelines-1k_demand_forecasting_with_pipeline_components-automl-forecasting-demand-hierarchical-timesers-in-pipeline-automl-forecasting-demand-hts.yml index 52e7083ee89..3e041c6d20e 100644 --- a/.github/workflows/sdk-jobs-pipelines-1k_demand_forecasting_with_pipeline_components-automl-forecasting-demand-hierarchical-timesers-in-pipeline-automl-forecasting-demand-hts.yml +++ b/.github/workflows/sdk-jobs-pipelines-1k_demand_forecasting_with_pipeline_components-automl-forecasting-demand-hierarchical-timesers-in-pipeline-automl-forecasting-demand-hts.yml @@ -19,6 +19,8 @@ on: - sdk/python/dev-requirements.txt - infra/bootstrapping/** - sdk/python/setup.sh +permissions: + id-token: write concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true @@ -37,7 +39,9 @@ jobs: - name: azure login uses: azure/login@v1 with: - creds: ${{secrets.AZUREML_CREDENTIALS}} + client-id: ${{ secrets.OIDC_AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.OIDC_AZURE_TENANT_ID }} + subscription-id: ${{ secrets.OIDC_AZURE_SUBSCRIPTION_ID }} - name: bootstrap resources run: | echo '${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}';