Azure · MariusStorhaug · Jun 26, 2022 · May 30, 2022 · May 30, 2022 · May 30, 2022
diff --git a/.github/actions/templates/publishModule/action.yml b/.github/actions/templates/publishModule/action.yml
@@ -88,7 +88,9 @@ runs:
     - name: Azure Login
       uses: Azure/login@v1
       with:
-        creds: ${{ env.AZURE_CREDENTIALS }}
+        client-id: ${{ env.ARM_CLIENT_ID }}
+        tenant-id: ${{ env.ARM_TENANT_ID }}
+        subscription-id: ${{ env.ARM_SUBSCRIPTION_ID }}
         enable-AzPSSession: true
 
     - name: 'Publish module to template specs'

diff --git a/.github/actions/templates/validateModuleDeployment/action.yml b/.github/actions/templates/validateModuleDeployment/action.yml
@@ -113,7 +113,9 @@ runs:
     - name: Azure Login
       uses: Azure/login@v1
       with:
-        creds: ${{ env.AZURE_CREDENTIALS }}
+        client-id: ${{ env.ARM_CLIENT_ID }}
+        tenant-id: ${{ env.ARM_TENANT_ID }}
+        subscription-id: ${{ env.ARM_SUBSCRIPTION_ID }}
         enable-AzPSSession: true
 
     # [Token replacement] task(s)

diff --git a/.github/actions/templates/validateModulePester/action.yml b/.github/actions/templates/validateModulePester/action.yml
@@ -55,7 +55,9 @@ runs:
     - name: 'Azure Login'
       uses: Azure/login@v1
       with:
-        creds: ${{ env.AZURE_CREDENTIALS }}
+        client-id: ${{ env.ARM_CLIENT_ID }}
+        tenant-id: ${{ env.ARM_TENANT_ID }}
+        subscription-id: ${{ env.ARM_SUBSCRIPTION_ID }}
         enable-AzPSSession: true
 
     # [Module Pester Test] task(s)

diff --git a/.github/workflows/ms.aad.domainservices.yml b/.github/workflows/ms.aad.domainservices.yml
@@ -25,11 +25,17 @@ on:
       - 'utilities/pipelines/**'
       - '!utilities/pipelines/dependencies/**'
 
+permissions:
+  id-token: write # OIDC
+  contents: read # OIDC
+  checks: write # enricomi/publish-unit-test-result-action
+  pull-requests: write # enricomi/publish-unit-test-result-action
+
 env:
   variablesPath: 'global.variables.yml'
   modulePath: 'arm/Microsoft.AAD/DomainServices'
   workflowPath: '.github/workflows/ms.aad.domainservices.yml'
-  AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
+  ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
   ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}'
   ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}'
   ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}'
@@ -42,6 +48,7 @@ jobs:
   job_initialize_pipeline:
     runs-on: ubuntu-20.04
     name: 'Initialize pipeline'
+    environment: 'Engineering'
     steps:
       - name: 'Checkout'
         uses: actions/checkout@v2
@@ -67,6 +74,7 @@ jobs:
   job_module_pester_validation:
     runs-on: ubuntu-20.04
     name: 'Static validation'
+    environment: 'Engineering'
     steps:
       - name: 'Checkout'
         uses: actions/checkout@v2
@@ -83,6 +91,7 @@ jobs:
   job_module_deploy_validation:
     runs-on: ubuntu-20.04
     name: 'Deployment validation'
+    environment: 'Engineering'
     needs:
       - job_initialize_pipeline
       - job_module_pester_validation
@@ -115,6 +124,7 @@ jobs:
   ##################
   job_publish_module:
     name: 'Publishing'
+    environment: 'Engineering'
     if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true'
     runs-on: ubuntu-20.04
     needs:

diff --git a/.github/workflows/ms.analysisservices.servers.yml b/.github/workflows/ms.analysisservices.servers.yml
@@ -25,11 +25,17 @@ on:
       - 'utilities/pipelines/**'
       - '!utilities/pipelines/dependencies/**'
 
+permissions:
+  id-token: write # OIDC
+  contents: read # OIDC
+  checks: write # enricomi/publish-unit-test-result-action
+  pull-requests: write # enricomi/publish-unit-test-result-action
+
 env:
   variablesPath: 'global.variables.yml'
   modulePath: 'arm/Microsoft.AnalysisServices/servers'
   workflowPath: '.github/workflows/ms.analysisservices.servers.yml'
-  AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
+  ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
   ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}'
   ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}'
   ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}'
@@ -42,6 +48,7 @@ jobs:
   job_initialize_pipeline:
     runs-on: ubuntu-20.04
     name: 'Initialize pipeline'
+    environment: 'Engineering'
     steps:
       - name: 'Checkout'
         uses: actions/checkout@v2
@@ -67,6 +74,7 @@ jobs:
   job_module_pester_validation:
     runs-on: ubuntu-20.04
     name: 'Static validation'
+    environment: 'Engineering'
     steps:
       - name: 'Checkout'
         uses: actions/checkout@v2
@@ -83,6 +91,7 @@ jobs:
   job_module_deploy_validation:
     runs-on: ubuntu-20.04
     name: 'Deployment validation'
+    environment: 'Engineering'
     needs:
       - job_initialize_pipeline
       - job_module_pester_validation
@@ -115,6 +124,7 @@ jobs:
   ##################
   job_publish_module:
     name: 'Publishing'
+    environment: 'Engineering'
     if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true'
     runs-on: ubuntu-20.04
     needs:

diff --git a/.github/workflows/ms.apimanagement.service.yml b/.github/workflows/ms.apimanagement.service.yml
@@ -25,11 +25,17 @@ on:
       - 'utilities/pipelines/**'
       - '!utilities/pipelines/dependencies/**'
 
+permissions:
+  id-token: write # OIDC
+  contents: read # OIDC
+  checks: write # enricomi/publish-unit-test-result-action
+  pull-requests: write # enricomi/publish-unit-test-result-action
+
 env:
   variablesPath: 'global.variables.yml'
   modulePath: 'arm/Microsoft.ApiManagement/service'
   workflowPath: '.github/workflows/ms.apimanagement.service.yml'
-  AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
+  ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
   ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}'
   ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}'
   ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}'
@@ -42,6 +48,7 @@ jobs:
   job_initialize_pipeline:
     runs-on: ubuntu-20.04
     name: 'Initialize pipeline'
+    environment: 'Engineering'
     steps:
       - name: 'Checkout'
         uses: actions/checkout@v2
@@ -67,6 +74,7 @@ jobs:
   job_module_pester_validation:
     runs-on: ubuntu-20.04
     name: 'Static validation'
+    environment: 'Engineering'
     steps:
       - name: 'Checkout'
         uses: actions/checkout@v2
@@ -83,6 +91,7 @@ jobs:
   job_module_deploy_validation:
     runs-on: ubuntu-20.04
     name: 'Deployment validation'
+    environment: 'Engineering'
     needs:
       - job_initialize_pipeline
       - job_module_pester_validation
@@ -115,6 +124,7 @@ jobs:
   ##################
   job_publish_module:
     name: 'Publishing'
+    environment: 'Engineering'
     if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true'
     runs-on: ubuntu-20.04
     needs:

diff --git a/.github/workflows/ms.appconfiguration.configurationstores.yml b/.github/workflows/ms.appconfiguration.configurationstores.yml
@@ -25,11 +25,17 @@ on:
       - 'utilities/pipelines/**'
       - '!utilities/pipelines/dependencies/**'
 
+permissions:
+  id-token: write # OIDC
+  contents: read # OIDC
+  checks: write # enricomi/publish-unit-test-result-action
+  pull-requests: write # enricomi/publish-unit-test-result-action
+
 env:
   variablesPath: 'global.variables.yml'
   modulePath: 'arm/Microsoft.AppConfiguration/configurationStores'
   workflowPath: '.github/workflows/ms.appconfiguration.configurationstores.yml'
-  AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
+  ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
   ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}'
   ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}'
   ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}'
@@ -42,6 +48,7 @@ jobs:
   job_initialize_pipeline:
     runs-on: ubuntu-20.04
     name: 'Initialize pipeline'
+    environment: 'Engineering'
     steps:
       - name: 'Checkout'
         uses: actions/checkout@v2
@@ -67,6 +74,7 @@ jobs:
   job_module_pester_validation:
     runs-on: ubuntu-20.04
     name: 'Static validation'
+    environment: 'Engineering'
     steps:
       - name: 'Checkout'
         uses: actions/checkout@v2
@@ -83,6 +91,7 @@ jobs:
   job_module_deploy_validation:
     runs-on: ubuntu-20.04
     name: 'Deployment validation'
+    environment: 'Engineering'
     needs:
       - job_initialize_pipeline
       - job_module_pester_validation
@@ -115,6 +124,7 @@ jobs:
   ##################
   job_publish_module:
     name: 'Publishing'
+    environment: 'Engineering'
     if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true'
     runs-on: ubuntu-20.04
     needs:

diff --git a/.github/workflows/ms.authorization.policyassignments.yml b/.github/workflows/ms.authorization.policyassignments.yml
@@ -25,11 +25,17 @@ on:
       - 'utilities/pipelines/**'
       - '!utilities/pipelines/dependencies/**'
 
+permissions:
+  id-token: write # OIDC
+  contents: read # OIDC
+  checks: write # enricomi/publish-unit-test-result-action
+  pull-requests: write # enricomi/publish-unit-test-result-action
+
 env:
   variablesPath: 'global.variables.yml'
   modulePath: 'arm/Microsoft.Authorization/policyAssignments'
   workflowPath: '.github/workflows/ms.authorization.policyassignments.yml'
-  AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
+  ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
   ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}'
   ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}'
   ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}'
@@ -42,6 +48,7 @@ jobs:
   job_initialize_pipeline:
     runs-on: ubuntu-20.04
     name: 'Initialize pipeline'
+    environment: 'Engineering'
     steps:
       - name: 'Checkout'
         uses: actions/checkout@v2
@@ -67,6 +74,7 @@ jobs:
   job_module_pester_validation:
     runs-on: ubuntu-20.04
     name: 'Static validation'
+    environment: 'Engineering'
     steps:
       - name: 'Checkout'
         uses: actions/checkout@v2
@@ -83,6 +91,7 @@ jobs:
   job_module_deploy_validation:
     runs-on: ubuntu-20.04
     name: 'Deployment validation'
+    environment: 'Engineering'
     needs:
       - job_initialize_pipeline
       - job_module_pester_validation
@@ -118,6 +127,7 @@ jobs:
   ##################
   job_publish_module:
     name: 'Publishing'
+    environment: 'Engineering'
     if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true'
     runs-on: ubuntu-20.04
     needs:

diff --git a/.github/workflows/ms.authorization.policydefinitions.yml b/.github/workflows/ms.authorization.policydefinitions.yml
@@ -25,11 +25,17 @@ on:
       - 'utilities/pipelines/**'
       - '!utilities/pipelines/dependencies/**'
 
+permissions:
+  id-token: write # OIDC
+  contents: read # OIDC
+  checks: write # enricomi/publish-unit-test-result-action
+  pull-requests: write # enricomi/publish-unit-test-result-action
+
 env:
   variablesPath: 'global.variables.yml'
   modulePath: 'arm/Microsoft.Authorization/policyDefinitions'
   workflowPath: '.github/workflows/ms.authorization.policydefinitions.yml'
-  AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
+  ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
   ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}'
   ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}'
   ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}'
@@ -42,6 +48,7 @@ jobs:
   job_initialize_pipeline:
     runs-on: ubuntu-20.04
     name: 'Initialize pipeline'
+    environment: 'Engineering'
     steps:
       - name: 'Checkout'
         uses: actions/checkout@v2
@@ -67,6 +74,7 @@ jobs:
   job_module_pester_validation:
     runs-on: ubuntu-20.04
     name: 'Static validation'
+    environment: 'Engineering'
     steps:
       - name: 'Checkout'
         uses: actions/checkout@v2
@@ -83,6 +91,7 @@ jobs:
   job_module_deploy_validation:
     runs-on: ubuntu-20.04
     name: 'Deployment validation'
+    environment: 'Engineering'
     needs:
       - job_initialize_pipeline
       - job_module_pester_validation
@@ -118,6 +127,7 @@ jobs:
   ##################
   job_publish_module:
     name: 'Publishing'
+    environment: 'Engineering'
     if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true'
     runs-on: ubuntu-20.04
     needs:

diff --git a/.github/workflows/ms.authorization.policyexemptions.yml b/.github/workflows/ms.authorization.policyexemptions.yml
@@ -25,11 +25,17 @@ on:
       - 'utilities/pipelines/**'
       - '!utilities/pipelines/dependencies/**'
 
+permissions:
+  id-token: write # OIDC
+  contents: read # OIDC
+  checks: write # enricomi/publish-unit-test-result-action
+  pull-requests: write # enricomi/publish-unit-test-result-action
+
 env:
   variablesPath: 'global.variables.yml'
   modulePath: 'arm/Microsoft.Authorization/policyExemptions'
   workflowPath: '.github/workflows/ms.authorization.policyexemptions.yml'
-  AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
+  ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
   ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}'
   ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}'
   ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}'
@@ -42,6 +48,7 @@ jobs:
   job_initialize_pipeline:
     runs-on: ubuntu-20.04
     name: 'Initialize pipeline'
+    environment: 'Engineering'
     steps:
       - name: 'Checkout'
         uses: actions/checkout@v2
@@ -67,6 +74,7 @@ jobs:
   job_module_pester_validation:
     runs-on: ubuntu-20.04
     name: 'Static validation'
+    environment: 'Engineering'
     steps:
       - name: 'Checkout'
         uses: actions/checkout@v2
@@ -83,6 +91,7 @@ jobs:
   job_module_deploy_validation:
     runs-on: ubuntu-20.04
     name: 'Deployment validation'
+    environment: 'Engineering'
     needs:
       - job_initialize_pipeline
       - job_module_pester_validation
@@ -118,6 +127,7 @@ jobs:
   ##################
   job_publish_module:
     name: 'Publishing'
+    environment: 'Engineering'
     if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true'
     runs-on: ubuntu-20.04
     needs: