Lombiq · BenedekFarkas · Sep 28, 2023 · Sep 15, 2023 · Sep 15, 2023 · Sep 15, 2023
diff --git a/.github/actions/login-to-azure/action.yml b/.github/actions/login-to-azure/action.yml
@@ -18,5 +18,7 @@ runs:
       # v1.4.6
       uses: azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2
       with:
-        creds: ${{ env.SERVICE_PRINCIPAL }}
+        client-id: ${{ env.AZURE_CLIENT_ID }}
+        tenant-id: ${{ env.AZURE_TENANT_ID }}
+        subscription-id: ${{ env.AZURE_SUBSCRIPTION_ID }}
         enable-AzPSSession: ${{ inputs.enable-az-ps-session }}
diff --git a/.github/workflows/build-and-test-dotnet.yml b/.github/workflows/build-and-test-dotnet.yml
@@ -4,6 +4,7 @@ on:
   workflow_call:
     secrets:
       CHECKOUT_TOKEN:
+        required: false
         description: >
           The GitHub token to authenticate checkout. Pass in a GitHub personal access token if authenticated submodules
           are used.

diff --git a/.github/workflows/build-and-test-orchard-core.yml b/.github/workflows/build-and-test-orchard-core.yml
@@ -4,6 +4,7 @@ on:
   workflow_call:
     secrets:
       CHECKOUT_TOKEN:
+        required: false
         description: >
           The GitHub token to authenticate checkout. Pass in a GitHub personal access token if authenticated submodules
           are used.

diff --git a/.github/workflows/build-dotnet.yml b/.github/workflows/build-dotnet.yml
@@ -5,6 +5,7 @@ on:
   workflow_call:
     secrets:
       CHECKOUT_TOKEN:
+        required: false
         description: >
           The GitHub token to authenticate checkout. Pass in a GitHub personal access token if authenticated submodules
           are used.

diff --git a/.github/workflows/create-jira-issues-for-community-activities-in-this-repo.yml b/.github/workflows/create-jira-issues-for-community-activities-in-this-repo.yml
@@ -11,7 +11,7 @@ on:
 jobs:
   create-jira-issues-for-community-activities:
     name: Create Jira issues for community activities
-    uses: Lombiq/GitHub-Actions/.github/workflows/create-jira-issues-for-community-activities.yml@dev
+    uses: Lombiq/GitHub-Actions/.github/workflows/create-jira-issues-for-community-activities.yml@issue/OSOE-688
     secrets:
       JIRA_BASE_URL: ${{ secrets.DEFAULT_JIRA_BASE_URL }}
       JIRA_USER_EMAIL: ${{ secrets.DEFAULT_JIRA_USER_EMAIL }}

diff --git a/.github/workflows/create-jira-issues-for-community-activities.yml b/.github/workflows/create-jira-issues-for-community-activities.yml
@@ -19,14 +19,17 @@ on:
         required: true
         description: The project key in JIRA, i.e. the prefix of issue keys (the "KEY" part of KEY-123).
       DISCUSSION_JIRA_ISSUE_DESCRIPTION:
+        required: false
         description: >
           Template for the Jira issues to be created for GitHub discussions, using the internal markup format of Jira
           (not Markdown). See the documentation for details.
       ISSUE_JIRA_ISSUE_DESCRIPTION:
+        required: false
         description: >
           Template for the Jira issues to be created for GitHub issues, using the internal markup format of Jira (not
           Markdown). See the documentation for details.
       PULL_REQUEST_JIRA_ISSUE_DESCRIPTION:
+        required: false
         description: >
           Template for the Jira issues to be created for GitHub pull requests, using the internal markup format of Jira
           (not Markdown). See the documentation for details.

diff --git a/.github/workflows/deploy-orchard1-to-azure-app-service.yml b/.github/workflows/deploy-orchard1-to-azure-app-service.yml
@@ -3,17 +3,31 @@ name: Deploy Orchard 1 to Azure App Service
 concurrency:
   group: AzureDeployApp
 
+permissions:
+  id-token: write
+  contents: read
+
 on:
   workflow_call:
     secrets:
       CHECKOUT_TOKEN:
+        required: false
         description: >
           The GitHub token to authenticate checkout. Pass in a GitHub personal access token if authenticated submodules
           are used.
-      AZURE_APP_SERVICE_DEPLOYMENT_SERVICE_PRINCIPAL:
+
+      # These secrets are used for Azure authentication through Service Principal Federated Credentials with the
+      # azure/login (https://github.com/azure/login) action, which is proxied by our login-to-azure action below.
+      AZURE_APP_SERVICE_DEPLOYMENT_SERVICE_PRINCIPAL_ID:
+        required: true
+      AZURE_APP_SERVICE_DEPLOYMENT_AZURE_TENANT_ID:
         required: true
+      AZURE_APP_SERVICE_DEPLOYMENT_AZURE_SUBSCRIPTION_ID:
+        required: true
+
       AZURE_APP_SERVICE_PUBLISH_PROFILE:
         required: true
+
       MAINTENANCE_USER_NAME:
       MAINTENANCE_PASSWORD:
 
@@ -90,25 +104,30 @@ jobs:
   deploy:
     runs-on: ${{ inputs.machine-type }}
     name: Deploy to Azure App Service
+    environment: ${{ inputs.slot-name }}
     defaults:
       run:
         shell: pwsh
     timeout-minutes: ${{ inputs.timeout-minutes }}
     steps:
       - name: Checkout
+        if: false
         uses: Lombiq/GitHub-Actions/.github/actions/checkout@dev
         with:
           token: ${{ secrets.CHECKOUT_TOKEN }}
 
       - name: Enable Node corepack
+        if: false
         uses: Lombiq/GitHub-Actions/.github/actions/enable-corepack@dev
 
       # Calling nuget restore separately on the actual solution, because we're passing Orchard.proj to the msbuild
       # action instead to be able to call the Precompiled target.
       - name: Restore NuGet packages
+        if: false
         run: nuget restore ${{ inputs.build-directory }}\${{ inputs.solution-or-project-path }}
 
       - name: Publish Precompiled App
+        if: false
         uses: Lombiq/GitHub-Actions/.github/actions/msbuild@dev
         with:
           solution-or-project-path: Orchard.proj
@@ -120,9 +139,11 @@ jobs:
             /p:Solution=${{ inputs.build-directory }}\${{ inputs.solution-or-project-path }}
 
       - name: Login to Azure
-        uses: Lombiq/GitHub-Actions/.github/actions/login-to-azure@dev
+        uses: Lombiq/GitHub-Actions/.github/actions/login-to-azure@issue/OSOE-688
         env:
-          SERVICE_PRINCIPAL: ${{ secrets.AZURE_APP_SERVICE_DEPLOYMENT_SERVICE_PRINCIPAL }}
+          AZURE_CLIENT_ID: ${{ secrets.AZURE_APP_SERVICE_DEPLOYMENT_SERVICE_PRINCIPAL_ID }}
+          AZURE_TENANT_ID: ${{ secrets.AZURE_APP_SERVICE_DEPLOYMENT_AZURE_TENANT_ID }}
+          AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_APP_SERVICE_DEPLOYMENT_AZURE_SUBSCRIPTION_ID }}
 
       - name: Initialize PowerShell modules
         uses: Lombiq/Infrastructure-Scripts/.github/actions/initialize@dev
@@ -140,6 +161,7 @@ jobs:
         run: Start-Sleep -Seconds 30
 
       - name: Deploy to Azure App Service
+        if: false
         uses: azure/webapps-deploy@016bdd3f9b7cec60310bcf9da98f671628795644 # v2.2.4
         with:
           app-name: ${{ inputs.app-name }}
@@ -148,7 +170,8 @@ jobs:
           package: build\Precompiled
 
       - name: Add Azure Application Insights Release Annotation
-        if: ${{ inputs.application-insights-resource-id != '' }}
+        if: false
+        # if: ${{ inputs.application-insights-resource-id != '' }}
         uses: Lombiq/GitHub-Actions/.github/actions/add-azure-application-insights-release-annotation@dev
         with:
           release-name: "Deploy #${{ github.run_number }} to ${{ inputs.slot-name }}"
@@ -169,7 +192,8 @@ jobs:
             -SlotName ${{ inputs.slot-name }}
 
       - name: Start AfterDeploy Maintenance on the Destination Slot
-        if: inputs.maintenance-host-name != ''
+        if: false
+        # if: inputs.maintenance-host-name != ''
         run: |
           $maintenanceParameters = @{
             HostName = '${{ inputs.maintenance-host-name }}'

diff --git a/.github/workflows/deploy-to-azure-app-service.yml b/.github/workflows/deploy-to-azure-app-service.yml
@@ -3,15 +3,28 @@ name: Deploy to Azure App Service
 concurrency:
   group: AzureDeployApp
 
+permissions:
+  id-token: write
+  contents: read
+
 on:
   workflow_call:
     secrets:
       CHECKOUT_TOKEN:
+        required: false
         description: >
           The GitHub token to authenticate checkout. Pass in a GitHub personal access token if authenticated submodules
           are used.
-      AZURE_APP_SERVICE_DEPLOYMENT_SERVICE_PRINCIPAL:
+
+      # These secrets are used for Azure authentication through Service Principal Federated Credentials with the
+      # azure/login (https://github.com/azure/login) action, which is proxied by our login-to-azure action below.
+      AZURE_APP_SERVICE_DEPLOYMENT_SERVICE_PRINCIPAL_ID:
+        required: true
+      AZURE_APP_SERVICE_DEPLOYMENT_AZURE_TENANT_ID:
         required: true
+      AZURE_APP_SERVICE_DEPLOYMENT_AZURE_SUBSCRIPTION_ID:
+        required: true
+
       AZURE_APP_SERVICE_PUBLISH_PROFILE:
         required: true
 
@@ -113,34 +126,40 @@ jobs:
   deploy:
     runs-on: ${{ inputs.machine-type }}
     name: Deploy to Azure App Service
+    environment: ${{ inputs.slot-name }}
     defaults:
       run:
         shell: pwsh
     timeout-minutes: ${{ inputs.timeout-minutes }}
     steps:
       - name: Checkout
+        if: false
         uses: Lombiq/GitHub-Actions/.github/actions/checkout@dev
         with:
           token: ${{ secrets.CHECKOUT_TOKEN }}
 
       - name: Set up .NET
+        if: false
         uses: Lombiq/GitHub-Actions/.github/actions/setup-dotnet@dev
         with:
           dotnet-version: ${{ inputs.dotnet-version }}
 
       - name: Enable Node corepack
+        if: false
         uses: Lombiq/GitHub-Actions/.github/actions/enable-corepack@dev
 
       # If runtime is defined, we need to add "--runtime=" to the string so it will be a valid build/publish option. The
       # "build-dotnet" action requires the additional switches to be in separate lines (even the parameters), but we can
       # take advantage of the dotnet CLI tolerating the usage of the equal sign.
       - name: Set up runtime option
+        if: false
         id: set-up-runtime-option
-        if: ${{ inputs.runtime != '' }}
+        # if: ${{ inputs.runtime != '' }}
         run: |
           "runtime-option=--runtime=${{ inputs.runtime }}" >> $Env:GITHUB_OUTPUT
 
       - name: Build and Static Code Analysis
+        if: false
         uses: Lombiq/GitHub-Actions/.github/actions/build-dotnet@dev
         with:
           directory: ${{ inputs.build-directory }}
@@ -159,6 +178,7 @@ jobs:
             -p:BuildVersionDisplay_BuildUrl=https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
 
       - name: Publish
+        if: false
         run: |
           dotnet publish (Get-ChildItem ${{ inputs.web-project-path }}).FullName `
             --no-build `
@@ -170,9 +190,11 @@ jobs:
             ${{ steps.set-up-runtime-option.outputs.runtime-option }}
 
       - name: Login to Azure
-        uses: Lombiq/GitHub-Actions/.github/actions/login-to-azure@dev
+        uses: Lombiq/GitHub-Actions/.github/actions/login-to-azure@issue/OSOE-688
         env:
-          SERVICE_PRINCIPAL: ${{ secrets.AZURE_APP_SERVICE_DEPLOYMENT_SERVICE_PRINCIPAL }}
+          AZURE_CLIENT_ID: ${{ secrets.AZURE_APP_SERVICE_DEPLOYMENT_SERVICE_PRINCIPAL_ID }}
+          AZURE_TENANT_ID: ${{ secrets.AZURE_APP_SERVICE_DEPLOYMENT_AZURE_TENANT_ID }}
+          AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_APP_SERVICE_DEPLOYMENT_AZURE_SUBSCRIPTION_ID }}
 
       - name: Initialize PowerShell modules
         uses: Lombiq/Infrastructure-Scripts/.github/actions/initialize@dev
@@ -185,6 +207,7 @@ jobs:
             -SlotName ${{ inputs.slot-name }}
 
       - name: Deploy to Azure App Service
+        if: false
         uses: azure/webapps-deploy@016bdd3f9b7cec60310bcf9da98f671628795644 # v2.2.4
         with:
           app-name: ${{ inputs.app-name }}
@@ -193,6 +216,7 @@ jobs:
           package: ${{ inputs.build-directory }}/Published
 
       - name: Add Azure Application Insights Release Annotation
+        if: false
         uses: Lombiq/GitHub-Actions/.github/actions/add-azure-application-insights-release-annotation@dev
         with:
           release-name: "Deploy #${{ github.run_number }} to ${{ inputs.slot-name }}"

diff --git a/.github/workflows/msbuild-and-test.yml b/.github/workflows/msbuild-and-test.yml
@@ -4,6 +4,7 @@ on:
   workflow_call:
     secrets:
       CHECKOUT_TOKEN:
+        required: false
         description: >
           The GitHub token to authenticate checkout. Pass in a GitHub personal access token if authenticated submodules
           are used.

diff --git a/.github/workflows/post-pull-request-checks-automation.yml b/.github/workflows/post-pull-request-checks-automation.yml
@@ -5,6 +5,7 @@ on:
     secrets:
       # We can't access org secrets here so they need to be passed in.
       MERGE_TOKEN:
+        required: false
         description: >
           An authentication token, like a personal access token (PAT), that provides write access to the repository and
           can be used to merge the pull request. This is necessary because when a pull request is merged while being

diff --git a/.github/workflows/publish-nuget.yml b/.github/workflows/publish-nuget.yml
@@ -4,6 +4,7 @@ on:
   workflow_call:
     secrets:
       CHECKOUT_TOKEN:
+        required: false
         description: >
           The GitHub token to authenticate checkout. Pass in a GitHub personal access token if authenticated submodules
           are used.