diff --git a/.github/workflows/infra.yaml b/.github/workflows/infra.yaml index a5e39ab..6e08767 100644 --- a/.github/workflows/infra.yaml +++ b/.github/workflows/infra.yaml @@ -4,10 +4,16 @@ on: push: paths: - infra/** + branches: + - main schedule: - cron: "00 00 * * 3" workflow_dispatch: +permissions: + id-token: write + contents: read + jobs: infra: strategy: @@ -18,7 +24,9 @@ jobs: - name: Log into Azure uses: azure/login@v2 with: - creds: ${{ secrets.AZURE_CREDENTIALS }} + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - name: Checkout code uses: actions/checkout@v4 with: diff --git a/README.md b/README.md index 588577d..0d3489f 100644 --- a/README.md +++ b/README.md @@ -83,3 +83,20 @@ To publish the docker image to Docker Hub via GitHub Actions, you need to set th gh secret set DOCKERHUB_USERNAME --body $DOCKERHUB_USERNAME gh secret set DOCKERHUB_TOKEN --body $DOCKERHUB_TOKEN ``` + +### Continuous Integration + +To configure OIDC authentication, run the following command. + +```shell +# Configure OIDC authentication +sh scripts/configure-oidc-github.sh + +# Register parameters to GitHub Secrets +AZURE_SUBSCRIPTION_ID=$(az account show --query 'id' --output tsv) + +gh secret set AZURE_CLIENT_ID --body $AZURE_CLIENT_ID +gh secret set AZURE_TENANT_ID --body $AZURE_TENANT_ID +gh secret set AZURE_SUBSCRIPTION_ID --body $AZURE_SUBSCRIPTION_ID +gh secret set AZURE_RG --body $AZURE_RG +``` diff --git a/docs/README.md b/docs/README.md index 444c576..bab84ce 100644 --- a/docs/README.md +++ b/docs/README.md @@ -11,6 +11,10 @@ - [Get started with LangSmith](https://docs.smith.langchain.com/) - [Add message history (memory) > In-memory](https://python.langchain.com/v0.1/docs/expression_language/how_to/message_history/#in-memory) +### GitHub + +- [Use GitHub Actions to connect to Azure](https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux) + ### Tools - [Tool calling agent](https://python.langchain.com/v0.1/docs/modules/agents/agent_types/tool_calling/) diff --git a/infra/main.parameters.bicepparam b/infra/main.parameters.bicepparam index f5ffbbe..079d7f8 100644 --- a/infra/main.parameters.bicepparam +++ b/infra/main.parameters.bicepparam @@ -14,7 +14,7 @@ param openAiDeployments = [ { name: 'whisper' version: '001' - capacity: 3 + capacity: 1 } ] diff --git a/scripts/configure-oidc-github.sh b/scripts/configure-oidc-github.sh new file mode 100644 index 0000000..d3395ec --- /dev/null +++ b/scripts/configure-oidc-github.sh @@ -0,0 +1,31 @@ +#!/bin/sh + +# get the directory of the script +SCRIPT_DIR=$(cd "$(dirname "$0")" || exit; pwd) + +# get the name of the current directory +appName=test-$(basename "$(pwd)") + +# Azure sign in +az login + +# Get the current Azure subscription ID +subscriptionId=$(az account show --query 'id' --output tsv) + +# Create a new Azure Active Directory application +appId=$(az ad app create --display-name "$appName" --query appId --output tsv) + +# Create a new service principal for the application +assigneeObjectId=$(az ad sp create --id "$appId" --query id --output tsv) + +# Assign the 'Contributor' role to the service principal for the subscription +az role assignment create --role contributor \ + --subscription "$subscriptionId" \ + --assignee-object-id "$assigneeObjectId" \ + --assignee-principal-type ServicePrincipal \ + --scope /subscriptions/"$subscriptionId"/resourceGroups/"$appName" + +# Assign the 'Contributor' role to the service principal for the subscription +az ad app federated-credential create \ + --id "$appId" \ + --parameters "$SCRIPT_DIR"/credential.json diff --git a/scripts/credential.json b/scripts/credential.json new file mode 100644 index 0000000..775eb13 --- /dev/null +++ b/scripts/credential.json @@ -0,0 +1,7 @@ +{ + "name": "azure-ai-services-solutions", + "issuer": "https://token.actions.githubusercontent.com", + "subject": "repo:ks6088ts-labs/azure-ai-services-solutions:ref:refs/heads/main", + "description": "Testing", + "audiences": ["api://AzureADTokenExchange"] +}