From c056ac5d16e54dd3416db13fd3e5da97dc2df9ef Mon Sep 17 00:00:00 2001 From: Pavel Horak <22235234+pavelhorak@users.noreply.github.com> Date: Thu, 5 Sep 2024 11:40:51 +0200 Subject: [PATCH] Update AzureDevOps.yml (#5249) Replacing usage of PAT with Entra ID service principal via federated identity --- .github/workflows/AzureDevOps.yml | 27 +++++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/.github/workflows/AzureDevOps.yml b/.github/workflows/AzureDevOps.yml index d497856f1e..2b75d1e2c8 100644 --- a/.github/workflows/AzureDevOps.yml +++ b/.github/workflows/AzureDevOps.yml @@ -4,20 +4,43 @@ on: issues: types: [labeled] #, opened, edited, deleted, closed, reopened, labeled, unlabeled, assigned + issue_comment: + types: [created, edited, deleted] + +concurrency: + group: issue-${{ github.event.issue.number }} + cancel-in-progress: false + +# Extra permissions needed to login with Entra ID service principal via federated identity +permissions: + id-token: write + issues: write jobs: updateAzDO: if: github.event.label.name == 'sprint' runs-on: ubuntu-latest steps: + - name: Login to Azure + uses: azure/login@v2 + with: + client-id: ${{ secrets.ENTRA_APP_CLIENT_ID }} + tenant-id: ${{ secrets.ENTRA_APP_TENANT_ID }} + allow-no-subscriptions: true + - name: Get Azure DevOps token + id: get_ado_token + run: + # The resource ID for Azure DevOps is always 499b84ac-1321-427f-aa17-267ca6975798 + # https://learn.microsoft.com/azure/devops/integrate/get-started/authentication/service-principal-managed-identity + echo "ado_token=$(az account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798 --query "accessToken" --output tsv)" >> $GITHUB_ENV - uses: pavelhorak/github-actions-issue-to-work-item@main env: - ado_token: "${{ secrets.ADO_PERSONAL_ACCESS_TOKEN }}" + ado_token: "${{ env.ado_token }}" github_token: "${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}" ado_organization: "${{ secrets.ADO_ORGANIZATION }}" ado_project: "${{ secrets.ADO_PROJECT }}" ado_area_path: "${{ secrets.ADO_AREA_PATH }}" - ado_iteration_path: "${{ secrets.ADO_ITERATION_PATH }}" # this doesn't work: "@CurrentIteration('[DevDiv]\\.NET DevExp Prague')" + ado_iteration_path: "${{ secrets.ADO_ITERATION_PATH }}" ado_wit: "User Story" ado_new_state: "Committed" ado_active_state: "In Progress"