From ebfd86a6e7fd898a50ed563c7d40de4239f78ca3 Mon Sep 17 00:00:00 2001
From: John Gathogo <john.gathogo@microsoft.com>
Date: Mon, 26 Feb 2024 09:29:21 +0300
Subject: [PATCH] Use OpenID Connect to authenticate to Azure

---
 .github/workflows/publish_to_staging_slot.yml | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/publish_to_staging_slot.yml b/.github/workflows/publish_to_staging_slot.yml
index 5ffc067..5fa97ff 100644
--- a/.github/workflows/publish_to_staging_slot.yml
+++ b/.github/workflows/publish_to_staging_slot.yml
@@ -5,6 +5,8 @@
 name: Publish OData org website to Azure Web App staging slot
 
 on:
+  push:
+    branches: [ staging ]
   workflow_dispatch: # Makes it possible to trigger workflow manually
 
 jobs:
@@ -12,6 +14,10 @@ jobs:
     if: github.repository_owner == 'OData' && github.event_name == 'workflow_dispatch'
     runs-on: ubuntu-latest
 
+    permissions:
+      id-token: write
+      contents: read
+
     steps:
       - uses: actions/checkout@v3
         with:
@@ -24,10 +30,13 @@ jobs:
             -v ${{ github.workspace }}:/srv/jekyll -v ${{ github.workspace }}/_site:/srv/jekyll/_site \
             jekyll/builder:stable /bin/bash -c "chmod -R 777 /srv/jekyll && jekyll build --config _config_staging.yml --future"
 
-      - name: Log in with Azure # Using Azure Service Principal
+      - name: Log in with Azure # Using OpenID Connect (OIDC)
         uses: azure/login@v1
         with:
-          creds: '{"clientId":"${{ secrets.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZURE_TENANT_ID }}"}'
+          auth-type: IDENTITY
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           
       - name: Deploy to Azure Web App
         uses: azure/webapps-deploy@v2