search

Azure / trusted-signing-action

MIT License
21 stars 8 forks source link

Federated credentials support #27

Open spyoungtech opened 1 month ago

spyoungtech commented 1 month ago

I would like to use federated credentials to authenticate with GitHub Actions. I have an app registration with the Trusted Signing Certificate Profile Signer role assigned and federated access configured for my GitHub repository as described in the documentation linked above, but it's not clear to me how I can configure my GitHub Action workflow with this Action to use federated credentials for signing in.

I understand that the documentation states that AzureDefaultCredential is used under the hood here for authentication. However, not being a C# developer, this reference documentation doesn't help me much in understanding how to properly configure this Action for my desired scenario.

I will try a few things based on hunches I have and will report my findings, but it would probably be appreciated by many if this could be outlined at least briefly in the README. Thanks!

japarson commented 1 month ago

Hi @spyoungtech , we are working on adding documentation that will make this process more clear. In the meantime, I suggest watching this YouTube video which helped me understand the process better. Your YAML will end up looking something like this, but the credentials need to be configured correctly in Azure (which the video walks you through):

permissions:
  id-token: write
  contents: read

jobs:
  test:
    runs-on: windows-latest

    steps:
      - name: Checkout the code
        uses: actions/checkout@v4

      - name: Azure login
        uses: azure/login@v1
        with:
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

      - name: Trusted Signing
        uses: azure/trusted-signing-action@v0.3.18
        with:
          ...
          exclude-environment-credential: true
          exclude-workload-identity-credential: true
          exclude-managed-identity-credential: true
          exclude-shared-token-cache-credential: true
          exclude-visual-studio-credential: true
          exclude-visual-studio-code-credential: true
          exclude-azure-cli-credential: false
          exclude-azure-powershell-credential: true
          exclude-azure-developer-cli-credential: true
          exclude-interactive-browser-credential: true
spyoungtech commented 1 month ago

Thanks, this worked like a charm.