From 54f749f0cba0d1e292e35bcc1a502208629687c8 Mon Sep 17 00:00:00 2001
From: Matthew John Cheetham <mjcheetham@outlook.com>
Date: Mon, 24 Jun 2024 14:27:45 -0700
Subject: [PATCH] github: use federated auth for Azure login

Use federated authentication with GitHub Actions and Azure Entra ID for
the Azure login commands during build-git-installers.yml builds.

This will allow us to drop the use of a client secret to authenticate as
the signing identity for Trusted Code Signing.

Signed-off-by: Matthew John Cheetham <mjcheetham@outlook.com>
---
 .github/workflows/build-git-installers.yml | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build-git-installers.yml b/.github/workflows/build-git-installers.yml
index 3eb4bda2d90771..f0d419f5efa6db 100644
--- a/.github/workflows/build-git-installers.yml
+++ b/.github/workflows/build-git-installers.yml
@@ -5,6 +5,9 @@ on:
     tags:
       - 'v[0-9]*vfs*' # matches "v<number><any characters>vfs<any characters>"
 
+permissions:
+  id-token: write # required for Azure login via OIDC
+
 jobs:
   # Check prerequisites for the workflow
   prereqs:
@@ -546,7 +549,9 @@ jobs:
       - name: Log into Azure
         uses: azure/login@v1
         with:
-          creds: ${{ secrets.AZURE_CREDENTIALS }}
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
       - name: Prepare for GPG signing
         env:
@@ -704,7 +709,9 @@ jobs:
       - name: Log into Azure
         uses: azure/login@v1
         with:
-          creds: ${{ secrets.AZURE_CREDENTIALS }}
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
       - name: Download GPG public key signature file
         run: |