GitHub Actions with Federated Credentials

[tamirkamara]

What is being addressed

The workflows in this repo currently rely on a service principal with a secret. This is considered less secure and no longer the only way to have GitHub Actions authenticate to Azure.

How is this addressed

• Switch workflows to use federated credentials
• Change scripts so that Terraform will rely on azure-cli authentication as that's renews tokens automatically while terraform doesn't (while inside the dev container)
• Update documentation and changelog

[github-actions]

Unit Test Results

0 tests   0 ✅  0s ⏱️
0 suites  0 💤
0 files    0 ❌

Results for commit 41acdb3.

♻️ This comment has been updated with latest results.

[tamirkamara]

/test

[github-actions]

🤖 pr-bot 🤖

🏃 Running tests: https://github.com/microsoft/AzureTRE/actions/runs/21356238812 (with refid 7ad231f2)

(in response to this comment from @tamirkamara)

[Copilot]

Pull request overview

This PR migrates GitHub Actions authentication to Azure from service-principal secrets to OIDC federated credentials, and adjusts supporting scripts/docs to align with the new auth flow.

Changes:

• Update multiple GitHub Actions workflows and the shared devcontainer action to authenticate via azure/login@v2 using OIDC (client/tenant/subscription IDs) and id-token: write.
• Adjust bootstrap/auth scripting to support OIDC in automation and to drive Terraform via Azure CLI auth.
• Refresh setup documentation and add a changelog entry describing the breaking change.

Reviewed changes

Copilot reviewed 15 out of 15 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
docs/tre-admins/setup-instructions/workflows.md	Updates CI/CD setup instructions from SP secret JSON to OIDC-based secrets and federated credentials.
docs/tre-admins/setup-instructions/cicd-pre-deployment-steps.md	Updates pre-deployment CI/CD steps to use OIDC and new secrets/variables.
docs/tre-admins/environment-variables.md	Updates env var documentation to reflect OIDC and reduced need for client secrets in CI/CD.
devops/terraform/bootstrap.sh	Removes backend OIDC/AAD flags from generated backend config to rely on environment-based auth behavior.
devops/scripts/bootstrap_azure_env.sh	Adds automation login via federated token file and switches Terraform auth strategy to CLI-based auth.
CHANGELOG.md	Documents the breaking change moving workflows to federated credentials.
.github/workflows/pr_comment_bot.yml	Switches Azure login to OIDC-based inputs and adds id-token: write.
.github/workflows/lets_encrypt.yml	Adds OIDC permission and uses azure/login@v2 with client/tenant/subscription IDs.
.github/workflows/deploy_tre_reusable.yml	Updates reusable workflow secrets contract and all calls to devcontainer action to use OIDC secrets; updates test result publisher input.
.github/workflows/deploy_tre_branch.yml	Passes new OIDC secrets and grants id-token: write.
.github/workflows/deploy_tre.yml	Passes new OIDC secrets and grants id-token: write.
.github/workflows/cli-package.yml	Updates devcontainer action calls to pass OIDC secrets and grants id-token: write.
.github/workflows/clean_validation_envs.yml	Switches Azure login to OIDC-based inputs and grants id-token: write.
.github/actions/devcontainer_run_command/action.yml	Replaces AZURE_CREDENTIALS with OIDC inputs and adds manual OIDC token retrieval for containerized az login.
.devcontainer/Dockerfile	Removes a Yarn apt source list file before installing packages (build hygiene).

[Copilot]

@tamirkamara I've opened a new pull request, #4823, to work on those changes. Once the pull request is ready, I'll request review from you.

[marrobi]

LGTM providing it works(!).

Copilot suggesting avoiding downloading the token to the runner, but not sure is a way round this?

[JC-wk]

LGTM