GitHub OIDC setup¶
All CI/CD workflows authenticate to Azure using OpenID Connect (OIDC) with federated identity credentials. No secrets are stored -- authentication happens through token exchange between GitHub and Azure AD.
How it works¶
sequenceDiagram
participant GH as GitHub Actions
participant AAD as Azure AD
participant ARM as Azure Resource Manager
GH->>AAD: Request token (OIDC)
AAD->>GH: Issue federated token
GH->>ARM: Authenticate with token
ARM->>GH: Access grantedSetup steps¶
1. Create an app registration¶
Create an Azure AD app registration for GitHub Actions.
2. Add federated credentials¶
Add a federated credential with the following settings:
| Setting | Value |
|---|---|
| Repo | Jeqqe/jersal-projects-core |
| Branch | release |
| Subject (branch) | repo:Jeqqe/jersal-projects-core:ref:refs/heads/release |
| Subject (PR) | repo:Jeqqe/jersal-projects-core:pull_request |
3. Assign roles¶
Assign the following roles to the app registration's service principal:
Contributoronrg-jersal-projects-sharedContributoronrg-jersal-site-scStorage Blob Data ContributoronstjersalprojcoreStorage Blob Data Contributoronstjersalprojcoresite
4. Configure GitHub variables¶
Add the following as GitHub repository variables (non-sensitive):
| Variable | Description |
|---|---|
AZURE_CLIENT_ID |
App registration client ID |
AZURE_TENANT_ID |
Azure AD tenant ID |
AZURE_SUBSCRIPTION_ID |
Azure subscription ID |
PG_SERVER_NAME |
PostgreSQL server name |
PG_ADMIN_LOGIN |
PostgreSQL admin username |
SWA_NAME |
Static Web App name |
5. Configure GitHub secrets¶
Add the following as GitHub repository secrets (sensitive):
| Secret | Description |
|---|---|
PG_ADMIN_PASSWORD |
PostgreSQL admin password |
AZURE_STATIC_WEB_APPS_API_TOKEN |
SWA deployment token |
Verifying OIDC
The CI workflows set ARM_USE_OIDC: true as an environment variable. If
authentication fails, verify that the federated credential subjects match
the triggering event (branch push vs. pull request).