From ad7df8fb3ecf83060ad3f8667b3d3ae8b797ab28 Mon Sep 17 00:00:00 2001
From: John Gathogo <john.gathogo@microsoft.com>
Date: Mon, 26 Feb 2024 09:29:21 +0300
Subject: [PATCH] Use OpenID Connect to authenticate to Azure

---
 .github/workflows/publish_to_staging_slot.yml | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/publish_to_staging_slot.yml b/.github/workflows/publish_to_staging_slot.yml
index 5ffc067..34b0116 100644
--- a/.github/workflows/publish_to_staging_slot.yml
+++ b/.github/workflows/publish_to_staging_slot.yml
@@ -7,6 +7,10 @@ name: Publish OData org website to Azure Web App staging slot
 on:
   workflow_dispatch: # Makes it possible to trigger workflow manually
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   publish:
     if: github.repository_owner == 'OData' && github.event_name == 'workflow_dispatch'
@@ -24,10 +28,12 @@ jobs:
             -v ${{ github.workspace }}:/srv/jekyll -v ${{ github.workspace }}/_site:/srv/jekyll/_site \
             jekyll/builder:stable /bin/bash -c "chmod -R 777 /srv/jekyll && jekyll build --config _config_staging.yml --future"
 
-      - name: Log in with Azure # Using Azure Service Principal
+      - name: Log in with Azure # Using OpenID Connect (OIDC)
         uses: azure/login@v1
         with:
-          creds: '{"clientId":"${{ secrets.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZURE_TENANT_ID }}"}'
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           
       - name: Deploy to Azure Web App
         uses: azure/webapps-deploy@v2